SpyMax is an Android remote access trojan/spyware. The provided content describes it as a commodity malware family and specifically as an Android RAT used in campaigns targeting Assad’s forces in Syria. In one reported operation, attackers distributed SpyMax inside a malicious Android application named STFD-686, which purported to offer financial aid to Syrian Army officers and soldiers and falsely claimed association with the Syria Trust for Development. Once installed, the embedded SpyMax malware allowed attackers to track the movement of infected Syrian soldiers. The content also notes that SpyMax has ranked prominently in spyware detections and has been deployed in campaigns using the SpyMax Android remote access trojan. High-confidence details in the content are limited to its Android RAT/spyware functionality, use in the STFD-686 lure, and targeting of Syrian military personnel.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android remote access trojan used to remotely control infected devices; referenced here in the context of training cybercriminals on deployment and use.
Commodity malware referenced as used in campaigns targeting Assad’s forces in Syria.
SpyMax is a remote access trojan (RAT) for Android that allows attackers to track device location and potentially exfiltrate sensitive data. In this case, it was used to target Syrian Army personnel.
Mobile spyware spread via fake apps/third-party stores and malvertising; maintains top prevalence in spyware category per report.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.