SideCopy, a Pakistani threat actor  is said to have used the platform to target people with ties to the Afghan government, military and law enforcement in Kabul.

Between April and August of 2021, the campaign which Meta described as a “well-resourced and persistent operation,” involved sending malicious links, often shortened using URL shortener services to websites hosting malware with the operators posing as young women and luring the recipients with romantic lures in order to get them to click on phishing links or download trojanized chat applications.

Meta, formerly known as Facebook announced on Tuesday that it had taken action against four separate malicious cyber groups from Pakistan and Syria that had been found targeting people in Afghanistan, as well as journalists, humanitarian organisations, and anti-regime military forces in the West Asian country.

Meta classified as three hacking networks linked to the Syrian government and Syria’s Air Force Intelligence

  • Syrian Electronic Army  used phishing links to deliver a mix of commercially available and custom malware such as njRAT and HmzaRat designed to harvest sensitive user information to humanitarian organisations, journalists and activists in Southern Syria, government critics and individuals associated with the anti-regime Free Syrian Army.
  • APT-C-37 known as SandroRAT and an in-house developed malware family known as SSLove to target people linked to the Free Syrian Army and military personnel affiliated with opposition forces  through social engineering schemes that duped users  into visiting websites  as Telegram, Facebook, YouTube and WhatsApp, as well as content concentrated on Islam.
  • An unnamed government-linked hacking group that targeted minority groups, activists, opposition in Southern Syria, Kurdish journalists, and members of the People’s Protection Units and Syria Civil Defense, with the operation manifesting itself in the form of social engineering attacks that entailed sharing links to websites hosting malware-laced apps mimicking WhatsApp and YouTube, which installed SpyNote and Spymax remote administration tools on the devices.

Mike Dvilyanski, head of cyber espionage investigations, and David Agranovich, director of threat disruption at the social technology firm Concuded that “To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers, and law enforcement and alerted the people we believe were targeted by these hackers.”

Indicator Of Compromise

1. Pakistan

Domains & C2s:

androappstore[.]comHosting PJobRAT and Mayhem
www[.]apphububstore[.]inHosting PJobRAT
appsstore[.]inHosting PJobRAT
apkstore.filehubspot[.]comBelieved to be hosting PJobRAT
helloworld.bounceme[.]netCommand and control server for PJobRAT
dasvidaniya.ddns[.]netCommand and control server for PJobRAT
gemtool.sytes[.]netCommand and control server for PJobRAT
saahas.servecounterstrike[.]comCommand and control server for Mayhem


MD5DescriptionMalware Family
7804aa608d73e7a9447ae177c31856feViberLite v4PJobRAT
a80a1b022fdcaa171e454086711dcf35ViberLite v3PJobRAT
a4f104e2058261c7dbfc1c69e1de8bceViberLite v2PJobRAT
4ce92da8928a8d1d72289d126a9fe2f4HangOn V4ePJobRAT
a53c74fa923edce0fa5919d11f945bccHangOn v4PJobRAT
v21b4327d6881be1893fd2a8431317f6bHappy ChatMayhem

2.. APT-C-37

Domains & C2s:

Domain / IPDescription
82.137.255[.]0Long running command and control server


MD5DescriptionMalware Family
969fe5597a44bf4eb66ebdc7b09ef2c8Fake version of WhatsAppSSLove

3. Unnamed Cluster

Domains & C2s:

Domain / IPDescription
f-b[.]todayHosting SpyMax
messengers[.]videoHosting SpyMax
whatsapp-sy[.]comHosting SpyMax
horan-free[.]comBelieved to have been hosting SpyMax
druze[.]lifeBelieved to have been hosting SpyMax
suwayda-24[.]comBelieved to have been hosting SpyMax
t-me[.]linkBelieved to have been hosting SpyMax
lamat-horan[.]comHosting unnamed Android malware
anti-corona[.]appBelieved to have been hosting SpyMax
what-sapp[.]siteBelieved to have been hosting SpyMax
informnapalm[.]netHosting trojanized apps for the YPG, Syrian Civil Defense, and malware pretending to be an update for WhatsApp.
facebook-helps-center[.]comOlder infrastructure hosting SpyMax malware pretending to be a WhatsApp update.
46.4.83[.]140Command and control server
sputniknews[.]newsBelieved to be attacker controlled
emmashop[.]appBelieved to be attacker controlled
face-book[.]xyzBelieved to be attacker controlled.


MD5DescriptionMalware Family
762acdd53eb35cd48686b72811ba9f3cHosted on lamat-horan[.]com.
First seen in 2019.
0 detections on VT.
fcf357556c3af14bab820810f5e94436Hosted on f-b[.]today.
Masquerading as a Syrian satellite TV app.
e8a528491b28e4d62a472da7396c7047Hosted on f-b[.]today.
Masquerading as a YouTube update.
1c16ee8b2f0dff7280e1d97522ee7e3fHosted on informnapalm[.]net.
A Syria themed APK.
ce274c0bd0743695529a43d7992e2d2cHosted on informnapalm[.]net.
Masquerading as a WhatsApp update.
185062606b168f04b8b583045d300be5Hosted on informnapalm[.]net.
Masquerading as an app for the YPG.
c2e55b0d7be1c1991a5b70be7280e528Hosted on informnapalm[.]net.
Masquerading as an app for the Syrian Civil Defence.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s