ASO RAT is a custom-built, Arabic-language Android remote access trojan platform assessed to have direct ties to Syria and operated from Frankfurt-based infrastructure. It has been distributed via malicious APKs disguised as PDF readers and Syrian government or military-themed applications, including lures such as pdf-sec.apk, c-pdf.apk, GovLens.apk, SyriaDefenseMap.apk, and ironclad-pdf.apk, with package names including com.pdf.readersec, com.pdf.ironclad, com.cpdf.cpdf, and gov.lens.net. Reported capabilities include SMS interception, call log and contact theft, camera capture, GPS tracking, file exfiltration, notification interception, clipboard monitoring, app icon hiding, battery optimization bypass, and launching DDoS activity from infected devices. Reverse engineering of its command-and-control panel showed a Django/React architecture with 21 API endpoints and frontend routes supporting device management, a DDoS module, server-side APK building, Firebase Cloud Messaging-based command delivery, delayed commands, automated exfiltration tasks, device grouping, and role-based multi-user administration, suggesting either a RAT-as-a-Service model or a multi-operator team. Investigators identified active C2 infrastructure including 45[.]74[.]4[.]179 and 172[.]111[.]200[.]133 in Frankfurt, plus No-IP DDNS domains c-pdf[.]ddns[.]net, new-pdf[.]ddns[.]net, livemap-back[.]ddns[.]net, and aso[.]ddns[.]net; historical records also linked infrastructure to Starlink IP space, including 129[.]224[.]206[.]195 geolocated to Syria. The activity timeline reportedly spans at least May 2025 through April 2026. The Syria-themed lures indicate likely surveillance targeting of individuals connected to the Syrian conflict, including opposition figures, journalists, NGO workers, or military personnel. Reported OPSEC failures included exposed Arabic strings and comments, hardcoded infrastructure references, a hardcoded developer IP 192[.]168[.]1[.]112, and plaintext HTTP communications exposing panel logins, JWT tokens, victim data, and operator commands. The newest reported March 2026 sample had 0/66 antivirus detections, indicating active iteration to evade signature-based detection.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ASO RAT is a custom-built, Arabic-language Android Remote Access Trojan platform operating from Frankfurt-based infrastructure with direct ties to Syria.
ASO RAT is a custom-built, Arabic-language Android Remote Access Trojan platform operating from Frankfurt-based infrastructure with direct ties to Syria.
12 distinct techniques documented for this family, organized by ATT&CK tactic.
MITRE ATT&CK Mapping Technique ID Name Context T1583.001 Acquire Infrastructure: Domains Four No-IP DDNS domains for C2 rotation
MITRE ATT&CK Mapping Technique ID Name Context T1583.003 Acquire Infrastructure: Virtual Private Server Two Frankfurt VPS from Secure Internet LLC (M247/Cogent)
24 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Arabic-language Android remote access trojan distributed via fake PDF reader and Syrian government-themed apps, enabling full device compromise including SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS launching.
Custom Android remote access trojan that enables full device compromise, including SMS interception, camera access, GPS tracking, call logging, file exfiltration, notification and clipboard interception, app icon hiding, battery optimization bypass, DDoS launching from victim devices, Firebase Cloud Messaging-based command delivery, delayed commands, automated exfiltration, and server-side APK generation.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.