S1185 LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as .dylib files (iOS, macOS) or .apk files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.1
| Item | Value |
|---|---|
| ID | S1185 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 03 January 2025 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | LightSpy’s C2 communication is performed over WebSockets using the open source library SocketRocket with functionality such as, heartbeat, receiving commands, and updating command status.2 |
| enterprise | T1123 | Audio Capture | LightSpy uses Apple’s built-in AVFoundation Framework library to capture and manage audio recordings then transform them to JSON blobs for exfiltration.2 |
| enterprise | T1217 | Browser Information Discovery | To collect data on the host’s Wi-Fi connection history, LightSpy reads the /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file. It also utilizes Apple’s CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.001 | Keychain | LightSpy performs an in-memory keychain query via SecItemCopyMatching() then formats the retrieved data as a JSON blob for exfiltration.2 |
| enterprise | T1480 | Execution Guardrails | On macOS, LightSpy checks the existence of a process identification number (PID) file, /Users/Shared/irc.pid, to verify if LightSpy is currently running.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | To exfiltrate data, LightSpy configures each module to send an obfuscated JSON blob to hardcoded URL endpoints or paths aligned to the module name.2 |
| enterprise | T1083 | File and Directory Discovery | LightSpy uses the NSFileManager to move, create and delete files. LightSpy can also use the assembly bt instruction to determine a file’s executable permissions.2 |
| enterprise | T1105 | Ingress Tool Transfer | On macOS, LightSpy downloads a .json file from the C2 server. The .json file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash. LightSpy retrieves the plugins specified in the .json file, which are compiled .dylib files. These .dylib files provide task and platform specific functionality. LightSpy also imports open-source libraries to manage socket connections.2 |
| enterprise | T1046 | Network Service Discovery | To collect data on the host’s Wi-Fi connection history, LightSpy reads the /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file.It also utilizes Apple’s CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.001 | Binary Padding | LightSpy’s configuration file is appended to the end of the binary. For example, the last 0x1d0 bytes of one sample is an AES encrypted configuration file with a static key of 3e2717e8b3873b29.2 |
| enterprise | T1027.013 | Encrypted/Encoded File | LightSpy encrypts the C2 configuration file using AES with a static key, while the module .dylib files use a rolling one-byte encoding for obfuscation.2 |
| enterprise | T1057 | Process Discovery | If sent the command 16002, LightSpy uses the NSWorkspace runningApplications() method to collect the process ID, path to the executable, bundle information, and the filename of the executable for all running applications.2 |
| enterprise | T1113 | Screen Capture | LightSpy uses Apple’s built-in AVFoundation Framework library to access the user’s camera and screen. It uses the AVCaptureStillImage to take a picture using the user’s camera and the AVCaptureScreen to take a screenshot or record the user’s screen for a specified period of time.2 |
| enterprise | T1129 | Shared Modules | LightSpy’s main executable and module .dylib binaries are loaded using a combination of dlopen() to load the library, _objc_getClass() to retrieve the class definition, and _objec_msgSend() to invoke/execute the specified method in the loaded class.2 |
| enterprise | T1518 | Software Discovery | If sent the command 16001, LightSpy uses the NSFileManger contentsOfDirectoryAtPath() to enumerate the Applications folder to collect the bundle name, bundle identifier, and version information from each application’s info.plist file. The results are then converted into a JSON blob for exfiltration.2 |
| enterprise | T1082 | System Information Discovery | LightSpy’s second stage implant uses the DeviceInformation class to collect system information, including CPU usage, battery statistics, memory allocations, screen size, etc.2 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | LightSpy has used both HTTPS and Websockets to communicate with the C2.453 |
| mobile | T1532 | Archive Collected Data | LightSpy collects and compresses data to be exfiltrated using SSZipArchive.35 |
| mobile | T1429 | Audio Capture | LightSpy has captured environment audio, phone calls and Voice over IP (VoIP) calls.71453 |
| mobile | T1398 | Boot or Logon Initialization Scripts | LightSpy has established auto-start execution during the system boot process.5 |
| mobile | T1623 | Command and Scripting Interpreter | LightSpy has plugins for executing shell commands either from the C2 server or a library file called zt.dylib.153 |
| mobile | T1634 | Credentials from Password Store | - |
| mobile | T1634.001 | Keychain | LightSpy has accessed the device’s KeyChain data.1563 |
| mobile | T1662 | Data Destruction | LightSpy has deleted media files and messenger-related files on the device.5 Additionally, LightSpy has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.3 |
| mobile | T1533 | Data from Local System | LightSpy has collected and exfiltrated files from messaging applications, such as Telegram, QQ, WeChat, and Whatsapp, and browser history from Chrome and Safari.14563 |
| mobile | T1456 | Drive-By Compromise | LightSpy gains initial execution when a victim visits a compromised or adversary-controlled website, including those mimicking legitimate sources such as a Hong Kong newspaper. Upon loading index.html, a Safari WebKit exploit is triggered, leading to the download of a Mach-O binary disguised with a .png extension.7635 |
| mobile | T1642 | Endpoint Denial of Service | LightSpy has used the DeleteSpring plugin to render the device’s user interface inoperable by disabling SpringBoard, which is iOS’s home screen manager.3 LightSpy has used the BootDestroy plugin to prevent the victim device from booting by modifying the NVRAM parameter auto-boot to false.3 Additionally, LightSpy has renamed the Wi-Fi daemon to disable wireless connectivity.3 |
| mobile | T1646 | Exfiltration Over C2 Channel | LightSpy has exfiltrated collected data to the C2.3 |
| mobile | T1658 | Exploitation for Client Execution | LightSpy has compromised iPhones running iOS 12.1 and 12.2 without any user interaction.6 |
| mobile | T1404 | Exploitation for Privilege Escalation | LightSpy uses the embedded time_waste function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a .dylib into the SpringBoard process, allowing persistent access to audio and video capture.35 |
| mobile | T1544 | Ingress Tool Transfer | LightSpy has retrieved files from the C2 server.15 Examples of files from the C2 are amfidebilitate (jailbreak component), jbexec (executable to verify jailbreak), bb (FrameworkLoader), cc (launchctl binary for persistence), b.plist (configuration for auto-start), and resources.zip, which contains additional jailbreak-related components.3 |
| mobile | T1430 | Location Tracking | LightSpy has accessed the device’s GPS location.1463 |
| mobile | T1655 | Masquerading | LightSpy has masqueraded a Mach-O executable as a png file.53 |
| mobile | T1575 | Native API | LightSpy’s main executable and modules use native libraries to execute targeted functionality.4135 |
| mobile | T1423 | Network Service Scanning | LightSpy uses the landevices module to enumerate devices on the same WiFi network through active scanning.536 |
| mobile | T1509 | Non-Standard Port | LightSpy has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.4 |
| mobile | T1406 | Obfuscated Files or Information | Using an XOR-chain algorithm, LightSpy decrypts an embedded configuration blob containing URLs for jailbreak components and next-stage payloads. It also decrypts modules in memory and on disk using AES-ECB with the hardcoded key 3e2717e8b3873b29.4153 Additionally, LightSpy’s plugins have been encrypted during transmission.3 |
| mobile | T1660 | Phishing | LightSpy has delivered malicious links through Telegram channels and Instagram posts.76 |
| mobile | T1424 | Process Discovery | LightSpy has collected a list of running processes.53 |
| mobile | T1631 | Process Injection | LightSpy injects libcynject.dylib into the SpringBoard process to enable audio/video recording.3 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | LightSpy has accessed the device’s call log.14563 |
| mobile | T1636.003 | Contact List | LightSpy has accessed the device’s contact list.14563 |
| mobile | T1636.004 | SMS Messages | LightSpy has accessed SMS messages.1453 |
| mobile | T1513 | Screen Capture | LightSpy has a plugin that can take screenshots.53 |
| mobile | T1582 | SMS Control | LightSpy has sent and deleted SMS messages.453 |
| mobile | T1418 | Software Discovery | LightSpy has accessed a list of installed applications.1453 |
| mobile | T1409 | Stored Application Data | LightSpy has collected payment history from WeChat Pay.143 |
| mobile | T1426 | System Information Discovery | LightSpy collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.3541 |
| mobile | T1422 | System Network Configuration Discovery | LightSpy has collected device information such as IMEI, phone number, MAC address and IP address.3 |
| mobile | T1422.002 | Wi-Fi Discovery | LightSpy uses the WifiList (or libWifiList) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.1354 |
| mobile | T1421 | System Network Connections Discovery | LightSpy has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.71456 |
| mobile | T1512 | Video Capture | LightSpy has the ability to take one picture, continuous pictures or event-related pictures using the device’s camera.71453 For iOS devices, the default file type for pictures is in High Efficiency Image Format (HEIC); for Android devices, the default file type for pictures is in JPEG format. |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 | 1 |
References
-
Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025. ↩↩↩↩↩