The Syrian army’s failure to repel a modest opposition attack on Aleppo in December, which ultimately culminated in the collapse of the regime of Bashar al-Assad, defies explanation.

The opposition’s military strength and its use of drones were contributing factors, no doubt, but they were hardly enough. The Syrian army had previously reclaimed vast swaths of territory from rebel forces. By the summer of 2024, Assad’s government controlled two-thirds of the country. The sudden unraveling and the conventional explanations behind it belie what unfolded beneath the surface of the military event itself.

In a previous interview with New Lines, a high-ranking Syrian officer, who recounted the final days of the regime’s existence, disclosed a revealing detail that I decided to spend some time pursuing. A closer examination revealed it to be the key to understanding the regime’s collapse from a different angle, not merely as a logistical or battlefield failure, but as the result of a silent, invisible war.

The snippet of information was this: A mobile application, distributed quietly among Syrian officers via a Telegram channel, had spread rapidly in their ranks. In truth, the app was a carefully planted trap, the opening salvo of a hidden cyberwar — perhaps one of the first of its kind against a modern army. Militias had weaponized smartphones, turning them into lethal instruments against a regular military force.

Beyond revealing the contours of a cyberattack against the Syrian army, this investigation seeks to understand the application itself, its technology and reach, and to uncover the nature of the information it siphoned from within military ranks. This, in turn, leads directly to the potential impact on Syria’s military operations.

The larger question remains: Who orchestrated the cyberattack, and to what end?

The answers may point to players within the conflict itself — factions of the Syrian opposition, regional or international intelligence services, or other, still unseen hands. In any case, the attack must be understood within its full political and military context.

In February 2020, a mobile phone left behind by a Syrian soldier inside a Russian-made Pantsir-S1 air defense vehicle helped to turn the entire system into a fireball. Israeli forces tracked the phone’s signal, pinpointed the battery’s location, and launched a swift airstrike that obliterated the system before it could be rearmed. The incident, revealed by Valery Slugin, the chief designer behind the Pantsir system, in an interview with the Russian news agency TASS, showed how a single mobile phone could trigger catastrophe, whether by design or by sheer ignorance.

The consequences were devastating: critical equipment and personnel were lost at a moment when the army could least afford it. The soldier responsible — a survivor of the Israeli strike — may have been an informant or a recruited agent or, more likely, had no grasp of the damage he had caused. According to Slugin, all communication devices, such as phones or radios, should have been shut off during operations, and the battery location changed immediately after launching missiles to avoid detection. These are standard security protocols. Yet the Syrian crew’s failure to follow them turned an ordinary phone into a beacon, a live marker that guided the enemy’s strike straight to its target.

By the basic logic of military science, the Syrian authorities should have launched a full investigation after the Pantsir’s destruction — banning mobile phones within the ranks or devising countermeasures to stop them from becoming roving surveillance nodes. But that never happened. The Syrian army, this time and many times after, behaved with the same fatal irresponsibility — and paid for it dearly.

What was most striking after the events of Nov. 27, and the fall of Aleppo to the opposition, was how suddenly the Syrian army ceased to fight. Most units simply watched as opposition forces advanced, offering little more than sporadic resistance until the rebels reached the outskirts of Damascus on the morning of Dec. 8. In the rural areas of Idlib and Aleppo, opposition factions swept past dozens of positions belonging to brigades of the 25th and 30th Divisions, as well as narrow outposts in hilly terrain. They covered more than 40 miles in just 48 hours.

By then, the Syrian army was a shadow of its former self. After a decade of grinding warfare, marked by tens of thousands of casualties and irreparable material and moral losses, there was little strength left to rally. Years of conflict had left the forces battered not just by battlefield defeats, but by a more insidious collapse from within: The Syrian pound’s freefall, from 50 pounds to the dollar in 2011 to 15,000 in 2023, had turned soldiers’ and officers’ salaries into a cruel joke — barely $20 a month. Many no longer fought for “the country and the leader,” but simply to survive. Transportation costs had doubled; the salary of a high-ranking officer could no longer feed a family. One officer from the 47th Regiment recalled that they often received only half of their scheduled meals, made up of half-raw, unprepared food. In many units, a privileged few officers dined separately, which fueled bitter resentment among the rank and file.

Beyond the economic collapse, worsened in part by Western sanctions, Syria had, by 2018, sunk into a deep military and political stagnation. Fronts grew paralyzed. Morale sagged. Commanders reinvented themselves as smugglers of Captagon and fugitives. Meanwhile, the regime clung stubbornly to power, rejecting even the most pragmatic solutions, whether offered by yesterday’s enemies among Arab states, by Turkey or by the West.

The stagnation, and the suffocating sense of a future foreclosed, birthed a grotesque kind of entrepreneurship within the army. Officers and soldiers no longer focused on military duties; they scrambled for any opportunity that might sustain them. They traded anything and everything just to stay alive, without exaggeration.

Imagine an army where officers sold the remains of stale bread rations meant for their men. Where senior officers bought solar panels and rented out charging services to soldiers desperate to light their shelters or charge their phones. It seems those who thought to weaponize this moment knew exactly what they were looking at — and what they could exploit.

In the early summer of 2024, months before the opposition launched Operation Deterrence of Aggression, a mobile application began circulating among a group of Syrian army officers. It carried an innocuous name: STFD-686, a string of letters standing for Syria Trust for Development.

To Syrians, the Syria Trust for Development was a familiar institution: a humanitarian organization offering material aid and services, overseen by Asma al-Assad, Bashar’s wife. It had never ventured into the military sphere. None of the officers or sources we spoke to could explain how the app found its way into army hands. The likeliest explanations point to collusion by compromised officers — or a sophisticated deception.

What lent the app its credibility was that its name and information were publicly available. To heighten its aura of authenticity, and to control its spread, the app was distributed exclusively through a Telegram channel also bearing the name Syria Trust for Development, hosted on the platform but lacking any formal verification. The app, promoted as an initiative personally endorsed by the first lady, sidestepped scrutiny: If her name was attached, few questioned its legitimacy, or the financial promises it lured them with.

The STFD-686 app operated with disarming simplicity. It offered the promise of financial aid, requiring only that the victim fill out a few personal details. It asked innocent questions: “What kind of assistance are you expecting?” and “Tell us more about your financial situation.”

The expected answer was clear: financial help. In return, users would supposedly receive monthly cash transfers of around 400,000 Syrian pounds — roughly $40 at the time — sent anonymously via local money transfer companies. Sending small sums across Syria, whether under real or fictitious names, required nothing more than a phone number, and the black market was teeming with intermediaries ready to facilitate such transfers.

On the surface, the app appeared to offer a special service for officers. Its first disguise was a humanitarian one: claiming to support the “heroes of the Syrian Arab Army” through a new initiative, while showcasing photos of real activities from the official Syria Trust for Development website.

The second mask was emotional, employing reverent language that praised the soldiers’ sacrifices: “They give their lives so that Syria may live with pride and dignity.” The third was nationalistic, and framed the app as a “patriotic initiative” designed to bolster loyalty, and this mask proved the most persuasive.

The fourth mask was visual: The app’s name, both in English and Arabic, mirrored the official organization exactly. Even the logo was an identical replica of Syria Trust’s emblem.

Once downloaded, the app opened a simple web interface embedded within the application, which redirected users to external websites that didn’t display in the app bar. The sites, syr1.store and syr1.online, mimicked the official domain of Syria Trust (syriatrust.sy). The use of “syr1,” an abbreviation of Syria, in the domain name seemed plausible enough, and few users paid much mind. In this case, no special attention was given to the URL; it was simply assumed to be trustworthy.

To access the questionnaire, users were asked to submit a series of seemingly innocent details: full name, wife’s name, number of children, place and date of birth. But the questions quickly escalated into riskier territory: the user’s phone number, military rank and exact service location down to the corps, division, brigade and battalion.

Determining officers’ ranks made it possible for the app’s operators to identify those in sensitive positions, such as battalion commanders and communications officers, while knowing their exact place of service allowed for the construction of live maps of force deployments. It gave the operators behind the app and the website the ability to chart both strongholds and gaps in the Syrian army’s defensive lines. The most crucial point was the combination of the two pieces of information: Disclosing that “officer X” was stationed at “location Y” was tantamount to handing the enemy the army’s entire operating manual, especially on fluid fronts like those in Idlib and Sweida.

According to an analysis by a Syrian software engineer, what the officers dismissed as a tedious questionnaire was, in reality, a data entry form for military algorithms, turning their phones into live printers that generated highly accurate battlefield maps. “The majority of officers often ignored security protocols,” the engineer said. “I doubt any of them realized that behind these innocent-looking forms, traps were laid for them with the innocence of a wolf.” He added that while the mechanism of espionage was technically old, it remained devastatingly effective, especially given the widespread ignorance of cyberwarfare within the Syrian army.

At the bottom of the application’s web page, another trap lay in wait: an embedded Facebook contact link. This time, the user’s social media credentials were siphoned directly to a remote server, quietly stealing access to personal accounts. If the victim somehow escaped the first snare, there was a good chance they would fall into the second.

After harvesting basic information through embedded phishing links, the attack moved to its second stage: deploying SpyMax, one of the most popular Android surveillance tools. SpyMax is an advanced version of SpyNote, notorious on the black market, and typically distributed through malicious APK files (files designed to install mobile apps on Android phones), disguised on fake download portals that appear legitimate. Crucially, SpyMax does not require root access (the highest level of access to the phone’s operating system) to function, making it dangerously easy for attackers to compromise devices. While original versions of the software sell for around $500, hacked versions are also freely available. In this case, the spyware was planted via the same Telegram channel that distributed the fake Syria Trust app and installed on officers’ phones under the guise of a legitimate application.

SpyMax has all the functions of RAT (Remote Access Trojan) software, including keylogging to steal passwords and intercept text messages; data extraction of confidential files, photos and call logs; and access to the camera and microphone, allowing real-time surveillance of victims.

Once connected, the victim can appear on an attacker’s dashboard, the live feed displaying everything from call logs to file transfers, depending on the functions selected.

The spyware targeted Android versions as old as Lollipop — an operating system launched in 2015 — meaning a broad range of both older and newer devices were vulnerable. An examination of the permissions granted to the app showed it had access to 15 sensitive functions, the most critical among them including tracking live locations and monitoring soldiers’ movements and military positions, eavesdropping on calls, recording conversations between commanders to uncover operational plans in advance, extracting documents like maps and sensitive files from officers’ phones and camera access allowing the person who launched the spyware to, potentially, remotely broadcast footage of military facilities.

Once the initial information was extracted, fake servers took over, routing data through anonymous cloud platforms to make tracing the source of the malware nearly impossible. The app was also signed with forged security certificates, much like a thief donning a fake police uniform to slip past security. The attack combined two deadly elements: psychological deception (phishing) and advanced cyberespionage (SpyMax). The evidence suggests the malware was operational and the infrastructure ready before June 2024, five months before the launch of the operation that led to the Assad regime’s collapse.

A review of the domains associated with Syr1.store revealed six linked domains, one of which was registered anonymously. Through SpyMax, whoever was behind the app extracted a devastating range of data from the officers’ phones, including their ranks and identities, whether they were responsible for sensitive posts and their geographical locations (possibly in real time). They would have access to troop concentrations, phone conversations, text messages, photos and maps on officers’ devices, and be able to monitor military facilities remotely. The phishing site itself collected myriad sensitive data from military personnel, including their full names, names of family members, ranks and service positions, dates and places of birth and Facebook login credentials if they used the social media contact form.

The potential uses are also myriad, and would have allowed the operators to pinpoint gaps in defensive lines, which were exploited in Aleppo, as well as locating weapons depots and communication hubs, and assessing the real size and strength of deployed troops. It would have allowed those with access to the information to launch surprise attacks on exposed sites, potentially cutting off supplies to isolated military units, issue contradictory orders to troops and sow confusion among military cadres, in addition to blackmailing the officers.

It’s at least clear that the Assad regime’s enemies benefited from the app in some way — although exactly how is difficult to confirm, and it is difficult to surmise who was behind it. For example, one of the domains linked to the hackers appears to be hosted in the United States, which had ties to the armed opposition, but the location of the server could have been masked as a misdirection. Israeli airstrikes in the immediate aftermath of the fall of the regime destroyed almost the entire conventional military capacity of Syria, and one Syrian army officer, who served in the air defense units of Tartous Governorate, told New Lines that the application had been active at his site. That meant that Syrian officers had already, through their own carelessness, uploaded the blueprints of Syria’s defensive fronts to a cloud server — accessible to anyone who knew where to look.

But the compromised data could have also been helpful to the opposition, which carried out attacks such as a clandestine operation targeting the military joint operations room in Aleppo, which this magazine previously reported on, leading up to the broader campaign that unseated Assad.

And perhaps this is what makes this spyware unique: While other spyware operations have largely targeted individuals, like the use of the application Pegasus to spy on activists in the Middle East, this particular campaign seems to have been focused on compromising an entire military institution through a primitive but devastating phishing attack.

It is difficult to determine exactly how many phones were compromised in the attack, but the number is likely in the thousands. A story published on the same Telegram channel in mid-July noted that 1,500 money transfers had been sent that month, with other posts referencing additional rounds of money distribution. None of those who received money through the app agreed to speak with me, citing security concerns.

Compromised military command may also help explain some of the stranger episodes that surrounded the regime’s collapse, in addition to the rapid military success of the opposition’s campaign.

One example is the exchange of fire that erupted on Dec. 6, 2024, between forces loyal to two senior Syrian commanders — Maj. Gen. Saleh al-Abdullah and Maj. Gen. Suhail al-Hassan — in the Hama region’s Sibahi Square. At the time, at least 30,000 Syrian army fighters had gathered in the area. According to witnesses, al-Abdullah issued orders for a southern withdrawal, while al-Hassan commanded his forces to advance north and engage opposition units. The conflicting commands led to a firefight between the two factions that raged for more than two hours. This clash can also be explained by the likelihood that each commander had received contradictory orders, either due to direct infiltration of the command structure or because external actors were using compromised channels to issue false instructions. It remains unclear how much of the command might have been compromised.

In an interview with Syria TV following the fall of the Assad regime, Ahmad al-Sharaa, Syria’s interim leader, revealed additional details about Operation Deterrence of Aggression, the name given to the campaign that ousted the former dictator. He stated that planning for the operation had spanned five years and that the Syrian regime had known about it, but failed to stop it. This, he emphasized, is a matter of certainty.

How did he know?

It is unlikely that any one thread that can be traced in the dramatic fall of the Syrian regime was responsible for unraveling the entirety of the system, and the story of the days leading up to the final campaign may never be fully uncovered. But the Syrian Trojan horse may point to one significant part of that story.