An investigation reveals how a cyberattack exploited Syrian Army soldiers' vulnerabilities
The Syrian army’s failure to repel a modest opposition attack on Aleppo in December, which ultimately culminated in the collapse of the government of Bashar al-Assad, defies explanation.The "opposition"’s military strength and its use of drones were contributing factors, no doubt, but they were hardly enough. The Syrian army had previously reclaimed vast swaths of territory from these same forces. By the summer of 2024, Assad’s government controlled two-thirds of the country. The sudden unraveling and the conventional explanations behind it belie what unfolded beneath the surface of the military event itself.
In a previous interview with New Lines, a high-ranking Syrian officer, who recounted the final days before the coup, disclosed a revealing detail that I decided to spend some time pursuing. A closer examination revealed it to be the key to understanding the army's collapse from a different angle, not merely as a logistical or battlefield failure, but as the result of a silent, invisible war.
The snippet of information was this: A mobile application, distributed quietly among Syrian officers via a Telegram channel, had spread rapidly in their ranks. In truth, the app was a carefully planted trap, the opening salvo of a hidden cyberwar — perhaps one of the first of its kind against a modern army. Militias had weaponized smartphones, turning them into lethal instruments against a regular military force.
Beyond revealing the contours of a cyberattack against the Syrian army, this investigation seeks to understand the application itself, its technology and reach, and to uncover the nature of the information it siphoned from within military ranks. This, in turn, leads directly to the potential impact on Syria’s military operations.
The larger question remains: Who orchestrated the cyberattack, and to what end?
The answers may point to players within the conflict itself — factions of the Syrian opposition, regional or international intelligence services, or other, still unseen hands. In any case, the attack must be understood within its full political and military context.
**
In the early summer of 2024, months before the coup a mobile application began circulating among a group of Syrian army officers. It carried an innocuous name: STFD-686, a string of letters standing for 'Syria Trust for Development'.
To Syrians, the Syria Trust for Development was a familiar institution: a humanitarian organization offering material aid and services, overseen by the first lady, Asma al-Assad.
It had never ventured into the military sphere. None of the officers or sources we spoke to could explain how the app found its way into army hands. The likeliest explanations point to collusion by compromised officers — or a sophisticated deception.
What lent the app its credibility was that its name and information were publicly available. To heighten its aura of authenticity, and to control its spread, the app was distributed exclusively through a Telegram channel also bearing the name Syria Trust for Development, hosted on the platform but lacking any formal verification. The app, promoted as an initiative personally endorsed by the first lady, sidestepped scrutiny: If her name was attached, few questioned its legitimacy, or the financial promises it lured them with.
The STFD-686 app operated with disarming simplicity. It offered the promise of financial aid, requiring only that the victim fill out a few personal details. It asked innocent questions: “What kind of assistance are you expecting?” and “Tell us more about your financial situation.”
The expected answer was clear: financial help. In return, users would supposedly receive monthly cash transfers of around 400,000 Syrian pounds — roughly $40 at the time — sent anonymously via local money transfer companies. Sending small sums across Syria, whether under real or fictitious names, required nothing more than a phone number.
On the surface, the app appeared to offer a special service for officers. Its first disguise was a humanitarian one: claiming to support the “heroes of the Syrian Arab Army” through a new initiative, while showcasing photos of real activities from the official Syria Trust for Development website.
The second mask was emotional, employing reverent language that praised the soldiers’ sacrifices: “They give their lives so that Syria may live with pride and dignity.” The third was nationalistic, and framed the app as a “patriotic initiative” designed to bolster loyalty, and this mask proved the most persuasive.
The fourth mask was visual: The app’s name, both in English and Arabic, mirrored the official organization exactly. Even the logo was an identical replica of Syria Trust’s emblem.
Once downloaded, the app opened a simple web interface embedded within the application, which redirected users to external websites that didn’t display in the app bar. The sites, syr1.store and syr1.online, mimicked the official domain of Syria Trust (syriatrust.sy). The use of “syr1,” an abbreviation of Syria, in the domain name seemed plausible enough, and few users paid much mind. In this case, no special attention was given to the URL; it was simply assumed to be trustworthy.
To access the questionnaire, users were asked to submit a series of seemingly innocent details: full name, wife’s name, number of children, place and date of birth. But the questions quickly escalated into riskier territory: the user’s phone number, military rank and exact service location down to the corps, division, brigade and battalion.
Determining officers’ ranks made it possible for the app’s operators to identify those in sensitive positions, such as battalion commanders and communications officers, while knowing their exact place of service allowed for the construction of live maps of force deployments. It gave the operators behind the app and the website the ability to chart both strongholds and gaps in the Syrian army’s defensive lines. The most crucial point was the combination of the two pieces of information: Disclosing that “officer X” was stationed at “location Y” was tantamount to handing the enemy the army’s entire operating manual, especially on fluid fronts like those in Idlib and Sweida.
According to an analysis by a Syrian software engineer, what the officers dismissed as a tedious questionnaire was, in reality, a data entry form for military algorithms, turning their phones into live printers that generated highly accurate battlefield maps. “The majority of officers often ignored security protocols,” the engineer said. “I doubt any of them realized that behind these innocent-looking forms, traps were laid for them with the innocence of a wolf.” He added that while the mechanism of espionage was technically old, it remained devastatingly effective, especially given the widespread ignorance of cyberwarfare within the Syrian army.
At the bottom of the application’s web page, another trap lay in wait: an embedded Facebook contact link. This time, the user’s social media credentials were siphoned directly to a remote server, quietly stealing access to personal accounts. If the victim somehow escaped the first snare, there was a good chance they would fall into the second.
After harvesting basic information through embedded phishing links, the attack moved to its second stage: deploying SpyMax, one of the most popular Android surveillance tools. SpyMax is an advanced version of SpyNote, notorious on the black market, and typically distributed through malicious APK files (files designed to install mobile apps on Android phones), disguised on fake download portals that appear legitimate. Crucially, SpyMax does not require root access (the highest level of access to the phone’s operating system) to function, making it dangerously easy for attackers to compromise devices. While original versions of the software sell for around $500, hacked versions are also freely available. In this case, the spyware was planted via the same Telegram channel that distributed the fake Syria Trust app and installed on officers’ phones under the guise of a legitimate application.
SpyMax has all the functions of RAT (Remote Access Trojan) software, including keylogging to steal passwords and intercept text messages; data extraction of confidential files, photos and call logs; and access to the camera and microphone, allowing real-time surveillance of victims.
Once connected, the victim can appear on an attacker’s dashboard, the live feed displaying everything from call logs to file transfers, depending on the functions selected.
The spyware targeted Android versions as old as Lollipop — an operating system launched in 2015 — meaning a broad range of both older and newer devices were vulnerable. An examination of the permissions granted to the app showed it had access to 15 sensitive functions, the most critical among them including tracking live locations and monitoring soldiers’ movements and military positions, eavesdropping on calls, recording conversations between commanders to uncover operational plans in advance, extracting documents like maps and sensitive files from officers’ phones and camera access allowing the person who launched the spyware to, potentially, remotely broadcast footage of military facilities.
Once the initial information was extracted, fake servers took over, routing data through anonymous cloud platforms to make tracing the source of the malware nearly impossible. The app was also signed with forged security certificates, much like a thief donning a fake police uniform to slip past security. The attack combined two deadly elements: psychological deception (phishing) and advanced cyberespionage (SpyMax). The evidence suggests the malware was operational and the infrastructure ready before June 2024, five months before the launch of the operation that led to the Assad Government's collapse.
A review of the domains associated with Syr1.store revealed six linked domains, one of which was registered anonymously. Through SpyMax, whoever was behind the app extracted a devastating range of data from the officers’ phones, including their ranks and identities, whether they were responsible for sensitive posts and their geographical locations (possibly in real time). They would have access to troop concentrations, phone conversations, text messages, photos and maps on officers’ devices, and be able to monitor military facilities remotely. The phishing site itself collected myriad sensitive data from military personnel, including their full names, names of family members, ranks and service positions, dates and places of birth and Facebook login credentials if they used the social media contact form.
The potential uses are also myriad, and would have allowed the operators to pinpoint gaps in defensive lines, which were exploited in Aleppo, as well as locating weapons depots and communication hubs, and assessing the real size and strength of deployed troops. It would have allowed those with access to the information to launch surprise attacks on exposed sites, potentially cutting off supplies to isolated military units, issue contradictory orders to troops and sow confusion among military cadres, in addition to blackmailing the officers.
**
Compromised military command may also help explain some of the stranger episodes that surrounded the army's collapse, in addition to the rapid military success of the NATO led & supported HTS's campaign.
One example is the exchange of fire that erupted on Dec. 6, 2024, between forces loyal to two senior Syrian commanders — Maj. Gen. Saleh al-Abdullah and Maj. Gen. Suhail al-Hassan — in the Hama region’s Sibahi Square. At the time, at least 30,000 Syrian army fighters had gathered in the area. According to witnesses, al-Abdullah issued orders for a southern withdrawal, while al-Hassan commanded his forces to advance north and engage opposition units. The conflicting commands led to a firefight between the two factions that raged for more than two hours. This clash can also be explained by the likelihood that each commander had received contradictory orders, either due to direct infiltration of the command structure or because external actors were using compromised channels to issue false instructions. It remains unclear how much of the command might have been compromised.
**
In an interview with Syria TV following the coup, al- Jolani revealed additional details about Operation Deterrence of Aggression. He stated that planning for the operation had spanned five years and that the Syrian government had known about it, but failed to stop it. This, he emphasized, is a matter of certainty.
How did he know?
It is unlikely that any one thread that can be traced was responsible by itself for unraveling the entirety of the system (the Government & army), and the story of the days leading up to the final campaign may never be fully uncovered. But the Syrian Trojan horse may point to one significant part of that story.
SOURCE | Adapted (shortened for clarity and with some terminology adjusted) from an article by Kamal Shahin, published in New Lines Magazine under the headline 'How a Spyware App Compromised Assad’s Army.'
0 Comments