LightSpy
LightSpy is a modular mobile spyware/backdoor family targeting iOS and macOS, with reporting also noting shared infrastructure and exploit URL patterns across Android, macOS, and iOS campaigns. It has been described as a modular backdoor that allows remote command execution on infected devices and extensive surveillance and data theft. Documented capabilities include collecting device information such as phone number, IMEI, CPU details, screen specifications, memory information, MAC address, and IP address; accessing SMS messages, sending and deleting SMS messages; stealing contacts and call logs; collecting and exfiltrating files from Telegram, QQ, WeChat, and WhatsApp; and stealing browser history from Chrome and Safari. Additional reported iOS capabilities include location tracking, identifying Wi-Fi networks the victim has connected to, scanning nearby Wi-Fi networks via Apple APIs, reading /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist, scanning the local network, uploading detected IP address data, and stealing data from Apple Keychain. ThreatFabric reported that LightSpy exfiltrates module data as obfuscated JSON blobs to hardcoded URL paths aligned to module names and uses both HTTPS and WebSockets for C2 and exfiltration. A January watering-hole campaign targeting Hong Kong residents used cloned local news sites and iframe/WebKit exploit delivery to infect iPhones; reporting states infection could occur by visiting a malicious page, and similarities were noted with a 2020 Hong Kong-focused campaign. ThreatFabric’s May 2024 reporting on LightSpy for macOS and iOS found newer iOS samples using Safari/WebKit and privilege-escalation exploits including CVE-2020-9802 and CVE-2020-3837, with references to CVE-2020-9870 and CVE-2020-9910. The newer iOS variant expanded from 12 to as many as 28 plugins, including destructive plugins capable of freezing devices or interfering with boot, such as Bootdestroy and DeleteKernelFile. Reported infrastructure included active C2 servers at 103.43.17[.]99, 103.27.109[.]217, 43.248.136[.]110, 222.219.183[.]84, and 103.27.109[.]28. ThreatFabric assessed the operators as likely China-based based on China-specific coordinate handling in the location plugin, Chinese phone numbers among observed victims, and development artifacts. Reported targeting and victimology in the provided content center on Hong Kong residents and at least one apparent real target in China.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
This time it was CVE-2020-9802, which was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6. | In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. Thanks to this, we were also able to obtain the most recent samples of LightSpy for iOS.
They utilized the publicly available Safari exploit CVE-2020-9802 for initial access... This time it was CVE-2020-9802, which was fixed in iOS 13.5 | In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. Thanks to this, we were also able to obtain the most recent samples of LightSpy for iOS.
They utilized the publicly available Safari exploit CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation... The threat actor created "20012001330.png" to trigger vulnerability CVE-2020-3837 using a “time_waste” exploit and a corresponding jailbreak kit. | In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. Thanks to this, we were also able to obtain the most recent samples of LightSpy for iOS.
This time it was CVE-2020-9802, which was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6. | In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. Thanks to this, we were also able to obtain the most recent samples of LightSpy for iOS.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“The technical details around the functionality of the iOS implant, called LightSpy… reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.”
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
experts detected a large-scale watering-hole attack aimed at residents of Hong Kong... The malware landed on victims’ smartphones when they visited one of several websites disguised as local news resources | All it took for the iPhone to get infected was one visit to a malicious page. There was no need even to tap anything.
Execution
5 techniques
Execution
LightSpy malware is a modular backdoor that lets an attacker remotely execute commands on the infected device
Bootdestroy plugin... will spawn the shell and execute the following shell command: /usr/sbin/nvram auto-boot=false .
FrameworkLoader will call two functions: _inject and trustBin... copied from the 'jelbrek.m' file... This file will try to inject libcynject.dylib into SpringBoard process.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
5 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
AppDelete... Can delete messenger-related victim files... BrowserDelete... can wipe browser history... ContactDelete... can delete specified contacts... MediaDelete... deleting media files... SMSDelete... deletes specified SMS message
Credential Access
2 techniques
Credential Access
Discovery
7 techniques
Discovery
Royal can scan the network interfaces of targeted systems. LightSpy reads the host's Wi‑Fi connection history and utilizes Apple's CWWiFiClient API to scan for nearby Wi‑Fi networks and obtain SSID, security type, and RSSI values.
The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
AbstractEmu can collect device IP address and SIM information; Android/SpyAgent has collected device network information, such as the IMEI and the phone number; ANDROIDOS_ANSERVER.A gathers the device IMEI and IMSI; many listed mobile malware families collect IMEI, IMSI, ICCID, MEID, serial number, phone number, MAC address, IP address, carrier, MCC/MNC, and related device/network identifiers.
Collection
6 techniques
Collection
AbstractEmu can collect files from or inspect the device’s filesystem. AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf. BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.
cameramodule 1.0.0 Takes camera shots. Can do a one-shot or take several shots for a specified time interval
Command and Control
3 techniques
Command and Control
Libwebsockets, for C2 communication... all communication with the control server will be done using only the Core... via Web socket.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2. | Examples include 'Drovorub ... initiated communication with C2 servers with an HTTP Upgrade request' and 'COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.'
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
121 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Modular spyware implant with expanded command set; targets multiple OSes and harvests data including from social media platforms.
Cross-platform surveillance framework affecting macOS and other OSes, enabling surveillance and data exfiltration; described as often linked to Chinese APT groups.
macOS spyware mentioned as an example of more insidious macOS malware variants.
LightSpy is an iOS spyware family previously distributed via watering-hole attacks targeting Hong Kong citizens, using WebKit exploits to compromise devices and exfiltrate sensitive data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.