Syrian Malware Samples

Binaries from the Syrian revolution

Warning: The following files contain malicious software. They are intended for security researchers and should only be executed under controlled environments.

The password to our sample archives is: infected.

a8ef5ccebd2e3babdd243a2861673c26 - news.exe

Filename: news.exe
MD5 Hash: a8ef5ccebd2e3babdd243a2861673c26
FIlesize: 114K
Analysis or Media:

7263e1d84b350c1465bb4c4c77b1bcec - برنامج الفيش.exe

Filename: برنامج الفيش.exe
MD5 Hash: 7263e1d84b350c1465bb4c4c77b1bcec
FIlesize: 8.6M
Analysis or Media:

28bf01f67db4a5e8e6174b066775eae0 - psiphon.exe

Filename: psiphon.exe
MD5 Hash: 28bf01f67db4a5e8e6174b066775eae0
FIlesize: 1.4M
Analysis or Media:

a9e6f5d4c5996ff1a067d4c5f9ade821 - Skype.exe

Filename: Skype.exe
MD5 Hash: a9e6f5d4c5996ff1a067d4c5f9ade821
FIlesize: 2.2M
Analysis or Media:

4141842e30edaf429309ea6bc2374ef5 - Attack.m.exe

Filename: Attack.m.exe
MD5 Hash: 4141842e30edaf429309ea6bc2374ef5
FIlesize: 20K
Analysis or Media:

16a56e1288935b1696c701c1eed456ed - اسماً لرجال ونساء سوريين مطلوبين لأفرع المخابرات السورية.exe

Filename: اسماً لرجال ونساء سوريين مطلوبين لأفرع المخابرات السورية.exe
MD5 Hash: 16a56e1288935b1696c701c1eed456ed
FIlesize: 73K
Analysis or Media:

8eda7dfa4ec4ac975bb12d2a3186bbeb - VPN-Pro.exe

Filename: VPN-Pro.exe
MD5 Hash: 8eda7dfa4ec4ac975bb12d2a3186bbeb
FIlesize: 2.0M
Analysis or Media:

02c2ee77cf5aaf8ac03739640c46e822 - اسماء بعض المسلحين في سورية والخارج المطلوبين لدى النظام السوري2012_m-fdp.scr

Filename: اسماء بعض المسلحين في سورية والخارج المطلوبين لدى النظام السوري2012_m-fdp.scr
MD5 Hash: 02c2ee77cf5aaf8ac03739640c46e822
FIlesize: 709K
Analysis or Media:

ed86876db98db35d8c205f8c0b92b0a4 - اسماء بعض الممولين في سوريا والخارج المطلوبين لدى النظام السوري_m-fdp.scr

Filename: اسماء بعض الممولين في سوريا والخارج المطلوبين لدى النظام السوري_m-fdp.scr
MD5 Hash: ed86876db98db35d8c205f8c0b92b0a4
FIlesize: 1.8M
Analysis or Media:

185c8d11c0611cae7c81f4458bf1adea - ActiveX.exe

Filename: ActiveX.exe
MD5 Hash: 185c8d11c0611cae7c81f4458bf1adea
FIlesize: 409K
Analysis or Media:

7d867d6bd5fc3015a31fdfa121ba9187 - FacebookWebBrowser.exe

Filename: FacebookWebBrowser.exe
MD5 Hash: 7d867d6bd5fc3015a31fdfa121ba9187
FIlesize: 34K
Analysis or Media:

79cdf420419a08f791752c759f8e0613 - Skype Encription v 2.1.exe

Filename: Skype Encription v 2.1.exe
MD5 Hash: 79cdf420419a08f791752c759f8e0613
FIlesize: 1.1M
Analysis or Media:

8c9f9ccffbd2c888b9b5300412f8e580 - ورقة حول مجلس القيادة_as‮ fdp.scr

Filename: ورقة حول مجلس القيادة_as‮ fdp.scr
MD5 Hash: 8c9f9ccffbd2c888b9b5300412f8e580
FIlesize: 841K
Analysis or Media:

41a2159b94c6883f03d2d901428a5891 - XtremeRAT_svhost2.exe

Filename: XtremeRAT_svhost2.exe
MD5 Hash: 41a2159b94c6883f03d2d901428a5891
FIlesize: 68K
Analysis or Media:

fb6e419e0fd9c2f39be43bcadbd2879f - XTremeRAT_silvia.exe

Filename: XTremeRAT_silvia.exe
MD5 Hash: fb6e419e0fd9c2f39be43bcadbd2879f
FIlesize: 229K
Analysis or Media:

af8e0815a0f44a78a95a89643f7c9ce6 - AntiHacker.exe

Filename: AntiHacker.exe
MD5 Hash: af8e0815a0f44a78a95a89643f7c9ce6
FIlesize: 1.0M
Analysis or Media:

c09d23a8e44c3170e9af0132788fceb0 - new.pif

Filename: new.pif
MD5 Hash: c09d23a8e44c3170e9af0132788fceb0
FIlesize: 383K
Analysis or Media:

e58a1795277edc08d35c6898f9befc1c - setup.exe

Filename: setup.exe
MD5 Hash: e58a1795277edc08d35c6898f9befc1c
FIlesize: 412K
Analysis or Media:

bb52415e659df7786b68d741a7a20162 - 5518707_304019782967678_137153936323931_76888_135985994_ser

Filename: 5518707_304019782967678_137153936323931_76888_135985994_ser
MD5 Hash: bb52415e659df7786b68d741a7a20162
FIlesize: 1004K
Analysis or Media:

2838bf29fe88edfd70d1cee4b8551c74 - 388707_304019782967678_1371539363240931_76888_135985994_ser

Filename: 388707_304019782967678_1371539363240931_76888_135985994_ser
MD5 Hash: 2838bf29fe88edfd70d1cee4b8551c74
FIlesize: 883K
Analysis or Media:

229af3e4f9dccc0497e7546c09790d50 - hack_facebook_pro_v6.9.exe

Filename: hack_facebook_pro_v6.9.exe
MD5 Hash: 229af3e4f9dccc0497e7546c09790d50
FIlesize: 450K
Analysis or Media:

bc403bef3c2372cb4c76428d42e8d188 - aleppo_plan_ خطة_تحريك_حلب cercs.pdf

Filename: aleppo_plan_ خطة_تحريك_حلب cercs.pdf
MD5 Hash: bc403bef3c2372cb4c76428d42e8d188
FIlesize: 3.1M
Analysis or Media:

0d1bd081974a4dcdeee55f025423a72b - new_new .pif

Filename: new_new .pif
MD5 Hash: 0d1bd081974a4dcdeee55f025423a72b
FIlesize: 387K
Analysis or Media:

919374a229038ab2a8752790709ff7fc - setup.exe

Filename: setup.exe
MD5 Hash: 919374a229038ab2a8752790709ff7fc
FIlesize: 385K
Analysis or Media:


Monday, 07 Oct 2014

One new sample has been added, courtesy of our friends at @secdev.

Monday, 15 Sept 2014

One new sample has been added.

Wednesday, 04 Jun 2014

One new sample has been added, which was detailed in this Citizen Lab report. Courtesy of John Scott-Railton.

Monday, 17 Mar 2014

Two new sample are available for download. We have released a report detailing Attack.m.exe available here.

Sunday, 28 Jul 2013

Two additional samples have been added courtesy of @headhntr. Both of these samples are analysed in an article by John Scott-Railton and Morgan Marquis-Boire titled, "A Call to Harm: New Malware Attacks Target the Syrian Opposition":

Sunday, 14 Jul 2013

Two more samples have been added:

Thanks a lot to @headhntr for providing the samples and his excellent research about Syrian malware.

Wednesday, 10 Jul 2013

We've created a list of the samples currently wanted for addition to the website. Please take a look here.

Thursday, 31 Jan 2013

One new sample has been added, 185c8d11c0611cae7c81f4458bf1adea / ActiveX.exe. Some notes and background detailing it here and here.

Tuesday, 02 Dec 2012

Two additional samples, Skype Encription v 2.1.exe and FacebookWebBrowser.exe, have been added. The list of samples has also been adjusted so that the most recently-posted samples appear at the top. This does not necessarily correspond to when they were first seen in the wild.

Tuesday, 13 Nov 2012

Three more samples added.

Wednesday, 31 Oct 2012

The front page has been redesigned.

Sunday, 09 Sept 2012

Two more samples are now available for download thanks to @y0ug. We appreciate it!
The samples are:

Saturday, 01 Sept 2012

Added another hash/report from the EFF regarding a Syrian regime-created "antihacker" tool, which drops DarkComet. The report goes into detail about the program's behavior and includes screenshots. Currently looking for a sample of this hash.

Saturday, 14 Jul 2012

Another sample & report added.

Tuesday, 10 Jul 2012

A through report prepared by Telecomix agents has been included in our list of media. It details a malware sample from February of this year. Link here:

Monday, 09 Jul 2012

We've added a page to list any links relating to Syrian malware samples. This includes both news articles and technical analysis.

Welcome to This website is a catalog of malicious software developed by the Al-Assad regime and its supporters specifically for targeting dissidents.

Since April 2011, the government of Syria has deployed malware extensively in order to track and arrest democratic activists and ordinary citizens. Here, they can be downloaded and analyzed. This malware provides a window into how an authoritarian government spies on its people.

Each sample lists its respective MD5 hash, filename, links to any media sources which mention that sample specifically, and a download link.

Here is a collection of media sources which mention malware in the Syrian conflict.

Submitting Samples

We are always looking for new malware samples! If you have any to contribute, please send an email to: contact [at] syrianmalware [dot] com.