A catalog of malware used in the Syrian civil war.

Each sample lists its respective MD5 hash, filename, links to any media sources or technical details which mention that sample specifically, and a download link.

Submitting Samples

If you have a sample to contribute, question, or comment, please email: contact [at] syrianmalware [dot] com.

Updates

Monday, 31 Dec 2016
One new sample has been added: 3f00799368f029c38cea4a1a56389ab7 - صفقة جيش الاسلام مع النظام المتضمنة تبادل 75 اسير للنظام من عدرا العمالية مقابل 15 معتقل لجيش الاسلام image.vbs

Monday, 07 Oct 2014
One new sample has been added, courtesy of our friends at @secdev - a8ef5ccebd2e3babdd243a2861673c26 - news.exe

Monday, 15 Sept 2014
One new sample has been added - 7263e1d84b350c1465bb4c4c77b1bcec - برنامج الفيش.exe

Wednesday, 04 Jun 2014
One new sample has been added, which was detailed in this Citizen Lab report: https://citizenlab.org/2014/03/maliciously-repackaged-psiphon/ Courtesy of John Scott-Railton. 28bf01f67db4a5e8e6174b066775eae0 - psiphon.exe

Monday, 17 Mar 2014
Two new sample are available for download. We have released a report detailing Attack.m.exe here: http://syrianmalware.com/files/Attack.m.exe%20-%20Report.pdf 4141842e30edaf429309ea6bc2374ef5 - Attack.m.exe, a9e6f5d4c5996ff1a067d4c5f9ade821 - Skype.exe

Sunday, 28 Jul 2013
Two additional samples have been added courtesy of @headhntr. Both of these samples are analysed in an article by John Scott-Railton and Morgan Marquis-Boire: https://citizenlab.org/2013/06/a-call-to-harm/ 8eda7dfa4ec4ac975bb12d2a3186bbeb / VPN-Pro.exe, 16a56e1288935b1696c701c1eed456ed / اسماً لرجال ونساء سوريين مطلوبين لأفرع المخابرات السورية.exe

Sunday, 14 Jul 2013
Two more samples have been added: ed86876db98db35d8c205f8c0b92b0a4 / اسماء بعض الممولين في سوريا والخارج المطلوبين لدى النظام السوري_m-fdp.scr, 02c2ee77cf5aaf8ac03739640c46e822 / اسماء بعض المسلحين في سورية والخارج المطلوبين لدى النظام السوري2012_m-fdp.scr. Thanks a lot to @headhntr for providing the samples and his excellent research about Syrian malware.

Thursday, 31 Jan 2013
One new sample has been added, 185c8d11c0611cae7c81f4458bf1adea / ActiveX.exe. Some notes and background detailing it are available at https://docs.google.com/document/d/1EeaF1k6DBNs4Qj0g9M7ykI1BpBwctBqCY-CqsRT0230/edit?usp=sharing and https://docs.google.com/document/d/1rNZbNi1DR0jno4Bl6rs0pdDe061rc8jCc-0EFHtWhJE/edit

Tuesday, 02 Dec 2012
Two additional samples, Skype Encription v 2.1.exe and FacebookWebBrowser.exe, have been added. The list of samples has also been adjusted so that the most recently-posted samples appear at the top. This does not necessarily correspond to when they were first seen in the wild.

Tuesday, 13 Nov 2012
Three more samples added.

Sunday, 09 Sept 2012
Two more samples are now available for download thanks to @y0ug. We appreciate it! The samples are: af8e0815a0f44a78a95a89643f7c9ce6, bc403bef3c2372cb4c76428d42e8d188

Saturday, 01 Sept 2012
Added another hash/report from the EFF regarding a Syrian regime-created "antihacker" tool, which drops DarkComet. The report goes into detail about the program's behavior and includes screenshots. Currently looking for a sample of this hash.

Saturday, 14 Jul 2012
Another sample & report added.

Tuesday, 10 Jul 2012
A through report prepared by Telecomix agents has been included in our list of media. It details a malware sample from February of this year. Link here: https://docs.google.com/open?id=0B2lkfUkdFSQjWVlKbTVMQ3dNY3M

Monday, 09 Jul 2012
We've added a page to list any links relating to Syrian malware samples. This includes both news articles and technical analysis.

Media

Telecomix
2012-02-21 - REPORT of a Syrian spyware - https://docs.google.com/open?id=0B2lkfUkdFSQjWVlKbTVMQ3dNY3M

Citizen Lab
2013-06-12 - A Call to Harm: New Malware Attacks Target the Syrian Opposition - https://citizenlab.org/2013/06/a-call-to-harm/
2012-06-19 - Syrian Activists Targeted with BlackShades Spy Software - https://citizenlab.org/2012/06/syrian-activists-targeted-with-blackshades-spy-software-2/

EFF
2012-12-03 - The Internet is Back in Syria and So is Malware Targeting Syrian Activists - https://www.eff.org/deeplinks/2012/12/iinternet-back-in-syria-so-is-malware
2012-08-15 - Pro-Syrian Government Hackers Target Activists With Fake Anti-Hacking Tool - https://www.eff.org/deeplinks/2012/08/syrian-malware-post
2012-07-12 - New Malware Targeting Syrian Activists Uses Blackshades Commercial Trojan - https://www.eff.org/deeplinks/2012/07/new-blackshades-malware
2012-06-19 - New Trojan Spread Over Skype as Cat and Mouse Game Between Syrian Activists and Pro-Syrian-Government Hackers Continues - https://www.eff.org/deeplinks/2012/06/darkshades-rat-and-syrian-malware
2012-05-31 - Trojan Hidden in Fake Revolutionary Documents Targets Syrian Activists - https://www.eff.org/deeplinks/2012/05/trojan-hidden-fake-revolutionary-documents-targets-syrian-activists
2012-05-02 - Fake Skype Encryption Tool Targeted at Syrian Activists Promises Security, Delivers Spyware - https://www.eff.org/deeplinks/2012/05/fake-skype-encryption-tool-targeted-syrian-activists-promises-security-delivers
2012-04-24 - New Wave of Facebook Phishing Attacks Targets Syrian Activists - https://www.eff.org/deeplinks/2012/04/new-wave-facebook-phishing-attacks-targets-syrian-activists
2012-04-04 - Campaign Targeting Syrian Activists Escalates with New Surveillance Malware - https://www.eff.org/deeplinks/2012/04/campaign-targeting-syrian-activists-escalates-with-new-surveillance-malware
2012-03-29 - Syrian Activists Targeted With Facebook Phishing Attack - https://www.eff.org/deeplinks/2012/03/pro-syrian-government-hackers-target-syrian-activists-facebook-phishing-attack
2012-03-15 - Fake YouTube Site Targets Syrian Activists With Malware - https://www.eff.org/deeplinks/2012/03/fake-youtube-site-targets-syrian-activists-malware
2012-03-05 - How to Find and Protect Yourself Against the Pro-Syrian-Government Malware on Your Computer - https://www.eff.org/deeplinks/2012/03/how-find-syrian-government-malware-your-computer-and-remove-it

CNN
2012-02-17 - Computer spyware is newest weapon in Syrian conflict - http://articles.cnn.com/2012-02-17/tech/tech_web_computer-virus-syria_1_opposition-activists-computer-viruses-syrian-town?_s=PM:TECH

Norman
2012-02-18 - The Syrian spyware - http://blogs.norman.com/2012/security-research/the-syrian-spyware

Malwarebytes
2012-06-21 - BlackShades in Syria - http://blog.malwarebytes.org/intelligence/2012/06/blackshades-in-syria/

Last updated: 2021-10-27 10:42:44 -0700