ASO RAT: Arabic-Language Android Surveillance Platform Targeting Syria
Published: April 10, 2026 TLP: WHITE Investigation ID: GHOST-2026-0410-ASO
Executive Summary
ASO RAT is a custom-built, Arabic-language Android Remote Access Trojan platform operating from Frankfurt-based infrastructure with direct ties to Syria. The platform provides full device compromise capabilities — SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS launching from victim devices — delivered through APKs disguised as PDF readers and Syrian government applications. A multi-user panel with role-based access control suggests this operates as a RAT-as-a-Service or supports a multi-operator team. The newest malware sample (March 2026) currently holds 0/66 antivirus detections.
This investigation was triggered by a public report from @solostalking on X, who identified the RAT and its primary C2 address. GHOST automated infrastructure mapping expanded that single indicator into a complete operational picture: two active C2 servers, four DDNS domains, eight malicious APK samples, historical infrastructure spanning four VPS providers and two Starlink satellite connections — one geolocated to Syria — and a fully reverse-engineered panel architecture exposing 20+ API endpoints, nine frontend routes, and 259 Arabic-language strings in the production JavaScript bundle.
Infrastructure
Active Command & Control
| Role | Address | Provider | Location |
|---|---|---|---|
| Primary C2 | 45[.]74[.]4[.]179 | Secure Internet LLC / M247 | Frankfurt, DE |
| Secondary C2 | 172[.]111[.]200[.]133 | Secure Internet LLC / Cogent | Frankfurt, DE |
Both servers share the same WHOIS contact email: admin@pointtoserver[.]com, confirming common procurement.
Primary C2 — Open Ports
| Port | State | Service | Details |
|---|---|---|---|
| 80/tcp | Open | nginx 1.24.0 | Default nginx welcome page |
| 137/udp | Open | NetBIOS | NetBIOS Name Service |
| 445/tcp | Open | SMB | Server Message Block — unusual for a C2 server |
| 3000/tcp | Open | nginx 1.24.0 | ASO RAT C2 Panel (reverse proxy to Django) |
| 8080/tcp | Open | uvicorn | Django REST API + Django admin panel |
| 8090/tcp | Open | HTTP | File Browser v2.62.2 |
| 22/tcp | Filtered | SSH | Firewalled |
| 443/tcp | Filtered | HTTPS | No TLS configured |
Shodan reports two vulnerabilities against this host: CVE-2023-44487 (HTTP/2 Rapid Reset) and CVE-2025-23419 (nginx TLS session resumption bypass).
The presence of NetBIOS (137/udp) and SMB (445/tcp) on an internet-facing C2 server is a notable OPSEC failure — these are Windows file-sharing services that have no legitimate purpose on a Linux C2 host and expand the attack surface.
Secondary C2 — 172[.]111[.]200[.]133
The secondary C2 mirrors the primary's architecture:
- Port 8080 — Identical Django REST API framework with Django Admin interface at
/admin/ - Port 8090 — Hosts a custom "Secure Access | System" page with password-only authentication, distinct from the File Browser on the primary server
The secondary's port 8090 page contains Arabic CSS comments in its source code:
/* أنيميشن الخلفية الفخمة */
Translation: "Luxurious background animation" — indicating the same Arabic-speaking developer built both the RAT panel and this custom access portal.
DDNS Domains
| Domain | Notes |
|---|---|
c-pdf[.]ddns[.]net | PDF lure theme, points to primary C2 |
new-pdf[.]ddns[.]net | Hardcoded in JS bundle, points to secondary C2 |
livemap-back[.]ddns[.]net | Map/geolocation lure theme, rotated across multiple hosts |
aso[.]ddns[.]net | Project name; resolved to residential Spanish IP |
All domains use No-IP dynamic DNS, enabling rapid infrastructure rotation without registrar paper trails.
Full Historical DNS Resolution Table
| Domain | IP | Date | Provider |
|---|---|---|---|
c-pdf[.]ddns[.]net | 45[.]74[.]4[.]179 | 2026-03-02 | Secure Internet LLC, Frankfurt |
new-pdf[.]ddns[.]net | 172[.]111[.]200[.]133 | 2026-03-11 | Secure Internet LLC, Frankfurt |
new-pdf[.]ddns[.]net | 129[.]224[.]207[.]215 | 2025-12-09 | SpaceX Starlink, US |
livemap-back[.]ddns[.]net | 129[.]224[.]206[.]195 | 2026-03-20 | SpaceX Starlink, SYRIA |
livemap-back[.]ddns[.]net | 45[.]74[.]4[.]179 | 2025-09-13 | Secure Internet LLC, Frankfurt |
livemap-back[.]ddns[.]net | 136[.]144[.]35[.]16 | 2025-05-07 | Latitude.sh, US |
Infrastructure Timeline
May 2025: livemap-back[.]ddns[.]net → 136[.]144[.]35[.]16 (Latitude.sh, US)
Jul 2025: First APK samples submitted to VT (GovLens.apk, pdf-sec.apk)
Sep 2025: livemap-back[.]ddns[.]net → 45[.]74[.]4[.]179 (current primary, Frankfurt)
Oct 2025: c-pdf.apk submitted to VT (18/66 detections)
Dec 2025: new-pdf[.]ddns[.]net → 129[.]224[.]207[.]215 (Starlink, US)
SyriaDefenseMap.apk submitted (23/67 detections)
Mar 2026: livemap-back[.]ddns[.]net → 129[.]224[.]206[.]195 (Starlink, SYRIA)
new-pdf[.]ddns[.]net → 172[.]111[.]200[.]133 (second Frankfurt VPS)
c-pdf.apk (NEW, com.pdf.ironclad) — 0/66 detections
ironclad-pdf.apk → new-pdf[.]ddns[.]net (3 detections)
Apr 2026: C2 panel still active and operational
The timeline shows steady evolution: early samples used hardcoded IPs, mid-period samples adopted DDNS for resilience, and the latest samples achieve near-zero detection rates — indicating the operator is actively iterating on evasion.
Panel Architecture — Reverse Engineering
GHOST extracted and analyzed the minified JavaScript bundle served by the C2 panel on port 3000. Despite minification, the bundle retained full API route definitions, React component structures, and 259 Arabic-language UI strings.
API Endpoints
Twenty-one API endpoints were recovered from the bundle, revealing the full command-and-control protocol:
| Endpoint | Method | Function |
|---|---|---|
/api/token/ | POST | JWT authentication |
/api/token/refresh/ | POST | Token refresh |
/api/devices/ | GET | List compromised devices |
/api/devices/{id}/assign-group/ | POST | Assign device to campaign group |
/api/ddos/ | GET/POST | DDoS attack management |
/api/ddos/{id}/{action}_attack/ | POST | Start/stop DDoS attacks |
/api/ddos/bulk-delete/ | POST | Bulk delete DDoS entries |
/api/build-apk/build/ | POST | Generate malicious APK on demand |
/api/downloads/ | GET | Manage exfiltrated data |
/api/downloads/delete-multiple/ | POST | Bulk delete downloads |
/api/upload/front/ | POST | Upload files to C2 |
/api/fcm/send/ | POST | Firebase Cloud Messaging push to victims |
/api/auto-download-tasks/ | GET/POST | Automated exfiltration tasks |
/api/delayed-commands/ | GET/POST | Scheduled commands to victims |
/api/assets/ | GET/POST | Manage APK builder assets (icons) |
/api/dashboard/stats/ | GET | Dashboard statistics |
/api/system-settings/ | GET | System configuration |
/api/users/me/ | GET | Current user profile |
/api/users/ | GET | User management |
/api/groups/ | GET | Device group management |
/api/search/ | GET | Search functionality |
Notable findings:
/api/build-apk/build/— The panel includes a full APK builder that generates new malware payloads server-side. Operators can customize app names, icons (managed via/api/assets/), and C2 callback addresses without touching Android Studio./api/fcm/send/— Firebase Cloud Messaging integration allows operators to push commands to victim devices even when the RAT is dormant, using Google's own infrastructure as a wake-up channel./api/delayed-commands/— Scheduled command execution enables time-delayed tasking, useful for coordinating exfiltration during off-hours when victims are less likely to notice battery or data anomalies./api/auto-download-tasks/— Automated exfiltration rules can be configured to continuously siphon specific file types or data categories without manual operator intervention.
Panel Frontend Routes
| Route | Function |
|---|---|
/dashboard | Main dashboard with statistics |
/devices | Compromised device management |
/:deviceId | Individual device view with all stolen data |
/builder | APK builder interface |
/ddos-attack | DDoS attack management |
/ddos-attack/add-attack | Launch new DDoS attack |
/groups | Device grouping (campaigns) |
/users | Multi-user panel management |
/settings | System settings |
The /groups route and the assign-group API confirm that operators organize victims into campaign groups — consistent with targeted surveillance operations rather than opportunistic mass infection.
Arabic UI Strings
259 Arabic strings were retained in the minified production bundle, confirming the developer's native language. These are not machine-translated — grammar and terminology are consistent with a native Arabic speaker building a tool for Arabic-speaking operators. Key examples:
| Arabic | Translation | Context |
|---|---|---|
| إخفاء أيقونة التطبيق | Hide app icon | Stealth mode toggle |
| إظهار أيقونة التطبيق | Show app icon | Reveal mode toggle |
| التطبيق مخفي حاليًا | App is currently hidden | Status indicator |
| الوصول إلى الموقع | Access to location | GPS permission |
| الوصول إلى جهات الاتصال | Access to contacts | Contact permission |
| الوصول الكامل للملفات | Full file access | Storage permission |
| إرسال الإشعارات | Send notifications | FCM push |
| خطأ أثناء بناء الـ APK | Error while building APK | Builder error |
| فشل بناء التطبيق | Application build failed | Builder error |
| استثناء من توفير البطارية | Battery optimization exemption | Persistence |
| إنشاء مستخدم جديد | Create new user | Multi-user admin |
| الصلاحيات والأدوار | Permissions and roles | RBAC system |
| التنزيلات المكتملة | Completed downloads | Exfiltration status |
The string استثناء من توفير البطارية ("Battery optimization exemption") is particularly telling — it indicates the RAT requests Android's battery optimization whitelist to maintain persistent background execution, a well-known mobile malware persistence technique.
Malware Analysis
Capabilities
The C2 panel and APK payloads support the following operations on compromised Android devices:
- SMS interception and exfiltration — Real-time capture of all incoming/outgoing messages
- Call log harvesting — Complete call history extraction
- Contact list theft — Full address book exfiltration
- Camera capture — Front and rear camera access for covert photography
- GPS location tracking — Continuous or on-demand geolocation
- File system access — Browse and exfiltrate arbitrary files from device storage
- Notification interception — Capture notifications from all apps (including messaging apps)
- Clipboard monitoring — Passive capture of copied text (passwords, OTPs, messages)
- App icon hiding — Stealth persistence by removing the app from the home screen
- Battery optimization bypass — Request exemption from Android's battery saver to maintain persistence
- DDoS attack launching — Weaponize victim devices as DDoS nodes
- On-demand APK building — Generate new customized malware payloads from the panel
- Firebase Cloud Messaging — Push commands to victims via Google's FCM infrastructure
- Automated exfiltration — Schedule recurring data theft tasks without operator intervention
- Delayed command execution — Time-delayed tasking for coordinated operations
Malicious APK Samples
Eight samples were identified across VirusTotal, themed as PDF readers, government applications, and military mapping tools:
| # | SHA256 (truncated) | Name | Package | Detections | First Seen | C2 Domain |
|---|---|---|---|---|---|---|
| 1 | 050537a4... | pdf-sec.apk | com.pdf.readersec | 6/66 | 2025-09-25 | 45[.]74[.]4[.]179 (direct) |
| 2 | 2eda2c83... | c-pdf.apk | com.pdf.ironclad | 0/66 | 2026-03-02 | c-pdf[.]ddns[.]net |
| 3 | 39901ffa... | GovLens.apk | gov.lens.net | 5/65 | 2025-07-25 | 45[.]74[.]4[.]179 (direct) |
| 4 | 3b5adb76... | pdf-sec.apk | com.pdf.readersec | 3/66 | 2025-07-28 | 45[.]74[.]4[.]179 (direct) |
| 5 | 86ebb2e4... | SyriaDefenseMap.apk | com.cpdf.cpdf | 23/67 | 2025-12-08 | livemap-back[.]ddns[.]net |
| 6 | ee90df06... | c-pdf.apk | com.pdf.readersec | 18/66 | 2025-10-15 | livemap-back[.]ddns[.]net |
| 7 | ffcfee12... | (unnamed) | com.pdf.readersec | 11/67 | 2025-09-13 | 45[.]74[.]4[.]179 (direct) |
| 8 | c725498c... | ironclad-pdf.apk | (unknown) | 3/? | ~2026-03 | new-pdf[.]ddns[.]net |
Detection trend: Early samples (Jul-Sep 2025) used hardcoded IPs and accumulated 3-11 detections. Mid-period samples (Oct-Dec 2025) transitioned to DDNS and reached 18-23 detections as AV vendors caught up. The latest samples (Mar 2026) use new package names and fresh DDNS domains to achieve 0-3 detections — the operator is actively evading signature-based detection.
Lure analysis: The Syria-themed lures — "SyriaDefenseMap" and "GovLens" — indicate deliberate targeting of individuals with interest in Syrian military or governance matters. This is consistent with surveillance operations against opposition figures, journalists, NGO workers, or military personnel in the Syrian conflict. The shift from government lures to generic PDF reader themes in later samples may indicate broadening of the target set or an attempt to make distribution less conspicuous.
OPSEC Failures
The operator made several mistakes that aided attribution and infrastructure mapping:
-
Hardcoded developer IP —
192[.]168[.]1[.]112left in the production JavaScript bundle, exposing the developer's local network configuration and confirming the panel was developed on a home/office network. -
Hardcoded C2 domain —
new-pdf[.]ddns[.]netembedded in the minified JS bundle, linking the panel directly to the secondary C2 infrastructure that was otherwise not publicly associated with the primary server. -
Code typo — API route
/dods-attack/update/:idinstead of/ddos-attack/, confirming the DDoS module exists and revealing hasty development with insufficient code review. -
User enumeration — The JWT token endpoint (
/api/token/) returns different error messages for invalid usernames vs. invalid passwords, enabling account discovery on the multi-user panel. -
Arabic strings retained — 259 Arabic-language strings left in the minified production build. A competent operator would strip these during the build process. Their presence confirms the developer's native language and provides linguistic fingerprinting material.
-
Residential IP exposure — A Telefonica de Espana residential address (
88[.]3[.]137[.]237) resolved onaso[.]ddns[.]net, potentially identifying the developer's or an operator's physical location in Spain. -
SMB/NetBIOS on C2 — Ports 137 and 445 open on the primary C2 server expose Windows file-sharing services that have no operational purpose and expand the server's attack surface.
-
No TLS — All C2 communications occur over unencrypted HTTP. The panel login, JWT tokens, victim data, and operator commands traverse the network in plaintext, making the entire operation vulnerable to passive interception.
-
Arabic CSS comments on secondary C2 — The custom "Secure Access | System" page on
172[.]111[.]200[.]133:8090contains Arabic CSS comments (/* أنيميشن الخلفية الفخمة */), further linking the developer to both servers and confirming the same individual built multiple components of the infrastructure.
Attribution Assessment
| Indicator | Assessment |
|---|---|
| Developer language | Arabic (native — 259 UI strings, Arabic CSS comments, natural grammar) |
| Geographic nexus | Syria (Starlink IP 129[.]224[.]206[.]195 geolocates to Syria + Syria-themed military/government lures) |
| Secondary nexus | Spain (residential Telefonica IP 88[.]3[.]137[.]237 on operator DDNS domain aso[.]ddns[.]net) |
| Infrastructure | Frankfurt, Germany (two VPS from Secure Internet LLC, same WHOIS contact) |
| Skill level | Intermediate-advanced (custom Django/React C2, APK builder, RBAC, FCM integration, multi-server infra; undermined by systemic OPSEC failures) |
| Operational model | RAT-as-a-Service or multi-operator team (RBAC panel with user management and role-based permissions) |
| Activity window | At least May 2025 to present (active as of April 2026, ~11 months) |
| Targeting | Syrian opposition, journalists, NGO workers, military personnel (inferred from lure themes) |
The combination of Arabic-language development, Syria-geolocated Starlink infrastructure, and Syria-themed military lures points to an operator with direct ties to the Syrian conflict — likely conducting surveillance operations against individuals of interest in the Syrian theater. The Spanish residential IP may indicate the developer or a secondary operator is based in Spain, possibly among the Syrian diaspora community.
MITRE ATT&CK Mapping
| Technique ID | Name | Context |
|---|---|---|
| T1587.001 | Develop Capabilities: Malware | Custom Android RAT with server-side APK builder |
| T1583.001 | Acquire Infrastructure: Domains | Four No-IP DDNS domains for C2 rotation |
| T1583.003 | Acquire Infrastructure: Virtual Private Server | Two Frankfurt VPS from Secure Internet LLC (M247/Cogent) |
| T1584.005 | Compromise Infrastructure: Botnet | DDoS module weaponizes victim devices as attack nodes |
| T1566.002 | Phishing: Spearphishing Link | APK distribution via lure-themed downloads |
| T1204.002 | User Execution: Malicious File | Victim installs disguised APK (PDF reader, government app) |
| T1636.004 | Protected User Data: SMS Messages | SMS interception and exfiltration module |
| T1636.002 | Protected User Data: Call Log | Call log harvesting |
| T1636.003 | Protected User Data: Contact List | Contacts exfiltration |
| T1512 | Video Capture | Camera access (front and rear) |
| T1430 | Location Tracking | GPS monitoring via location permissions |
| T1629.003 | Impair Defenses: Hide Artifacts | App icon hiding for stealth persistence |
| T1629.006 | Impair Defenses: Device Lockout | Battery optimization exemption for persistent execution |
| T1481.002 | Web Service: Bidirectional Communication | C2 via Django REST API on port 8080 |
| T1481.003 | Web Service: One-Way Communication | File exfiltration via File Browser on port 8090 |
| T1498 | Network Denial of Service | DDoS module launches attacks from victim devices |
| T1509 | Non-Standard Port | C2 services on ports 3000, 8080, 8090 instead of standard HTTP/HTTPS |
What This Report Adds to the Public Record
- Complete infrastructure map from a single IP indicator: two C2 servers, four DDNS domains, six historical IP resolutions across four providers including Starlink satellite internet
- Full panel reverse engineering: 21 API endpoints, 9 frontend routes, and the Django/React architecture documented for detection engineering and threat hunting
- Eight malicious APK samples with full hashes, package names, detection ratios, first-seen dates, and C2 callback domains
- Arabic linguistic analysis: 259 UI strings and CSS comments providing attribution-grade linguistic evidence
- Syria nexus established through Starlink geolocation (
129[.]224[.]206[.]195) and military/government lure theme analysis - Infrastructure timeline (May 2025 — April 2026) showing operational evolution from hardcoded IPs to DDNS with improving AV evasion
- Secondary C2 discovery (
172[.]111[.]200[.]133) linked via WHOIS, shared API framework, and developer fingerprints - OPSEC failure catalog (9 failures) enabling further attribution research by the community
- Detection engineering data: API endpoint patterns, port signatures, and network indicators for IDS/IPS rule development
Indicators of Compromise
IP Addresses
45[.]74[.]4[.]179 # Primary C2, Secure Internet LLC, Frankfurt
172[.]111[.]200[.]133 # Secondary C2, Secure Internet LLC, Frankfurt
216[.]128[.]9[.]226 # Starlink, Italy — livemap-back current
129[.]224[.]206[.]195 # Starlink, SYRIA — historical
129[.]224[.]207[.]215 # Starlink, US — historical
136[.]144[.]35[.]16 # Latitude.sh, US — historical
88[.]3[.]137[.]237 # Telefonica residential, Spain — operator IP
Domains
c-pdf[.]ddns[.]net
new-pdf[.]ddns[.]net
livemap-back[.]ddns[.]net
aso[.]ddns[.]net
URLs
hxxp://45[.]74[.]4[.]179:3000/ # ASO RAT panel
hxxp://45[.]74[.]4[.]179:8080/admin/ # Django admin (primary)
hxxp://45[.]74[.]4[.]179:8090/ # File Browser (primary)
hxxp://172[.]111[.]200[.]133:8080/admin/ # Django admin (secondary)
hxxp://172[.]111[.]200[.]133:8090/login # Secure Access System (secondary)
admin@pointtoserver[.]com # Hosting NOC contact on both C2 servers
File Indicators (SHA256)
050537a47b5463e96a9f3e7ba79c607017faceeb668cef8aa1d5e11a19ff4990
2eda2c838ea696f6ab1e74d2a1fa3c265234a32416a666f0efa3d065d0185552
39901ffa746a6f6ac3de2b36d9e61e0d60b221f4d9510436fd3cb3d2d7362130
3b5adb76e37e4cc999e281068d1f3e6f82cab8055c6b46c2e6de1b6ea8499a7e
86ebb2e4384e3c0d4aa973c07c1d237e3f4042c773f4b2aa5fcd19d8f7383172
ee90df061740b8cf0cdce8dba04ff34c205adf3271695e5310d04723dd9a2a47
ffcfee12bd160dc67f9b0fbd4462e46e5932840297c611ad2646139295ea019c
c725498c... # ironclad-pdf.apk (partial hash)
Android Package Names
com.pdf.readersec
com.pdf.ironclad
com.cpdf.cpdf
gov.lens.net
Network Signatures
Port 3000/tcp — nginx reverse proxy to Django/React panel
Port 8080/tcp — uvicorn (Django REST API + admin)
Port 8090/tcp — File Browser v2.62.2 (primary) / custom auth page (secondary)
API pattern: /api/token/, /api/devices/, /api/build-apk/build/, /api/fcm/send/
Initial lead credit: @solostalking
GHOST — Breakglass Intelligence
https://intel.breakglass.tech