I Spy... LightSpy

12640553088?profile=RESIZE_400xLightSpy is a modular surveillance framework that can be used to steal a variety of data, including files, screenshots, mobile location data, or even messenger data from apps like Telegram.  It was first documented by TrendMicro and Kapersky in 2020 as an iOS implant.  At the time, LightSpy would spread through a watering hole method, which is to say that targets would be directed to pages mimicking local news sites.  An example page can be seen in the image below.  The APT group said to be responsible for LightSpy was named “TwoSail Junk” by Kapersky.  The targets of LightSpy attacks tend to be located in Asian and Pacific regions.

These days, analysis indicates that LightSpy can be used on more than just mobile platforms, such as Windows, macOS, and Linux desktops, and perhaps even networking devices from Netgear, Linksys, and Asus.  With that said, it’s worth noting that fully functional linux or router variants have not been found yet.  Currently, the desktop variants appear to only be used in testing.



Source: Kapersky


A macOS implant discovered by ThreatFabric and has been active since at least January 2024.  Files were discovered on January 11th being uploaded to VirusTotal containing a string of digits already known to correspond to path names for LightSpy for Android and iOS.  This then led to the discovery of HTML and Javascript files that were connected to a WebKit vulnerability in macOS versions 10.13.3 and below.  The CVEs connected to this vulnerability are listed here.

Researchers were able to gain insights into how into LightSpy’s capabilities by exploiting a misconfiguration in the control panel.  A visual of this control panel can be seen below.


Source: ThreatFabric

The LightSpy core is run by a component named “macircloader.”  This core is responsible for interfacing with the command-and-control server and also acts as a sort of plugin management system, whereby spyware functionality is broken up into multiple “plugins.”  The functionality of the various LightSpy plugins can include things like capturing microphone input, extracting data from browsers, capturing photos with the camera, file management and exfiltration, network scanning, screen recording, and executing shell commands.

The first stage of the infection is carried out by exploiting WebKit flaws that we mentioned earlier in Safari, which allow for code execution.  This targets macOS 10.13.3 and earlier.  Once this is completed, a Mach-O executable disguised as a PNG file is delivered to the system.  The Mach-O binary executes scripts for downloading additional payloads, including a privilege escalation exploit, and encryption utility, and a zip file containing other executables.  Eventually all of these files are decrypted, root access is gained on the machine, and persistence is established by the executables contained within the downloaded ZIP file.


Source: ThreatFabric

From there, the “macircloader” is then called to download, decrypt, and execute the LightSpy core, which is essentially the primary framework of the operation, managing command and control, in addition to interfacing with the various plugins.  As we mentioned a moment ago, there are a number of plugins to perform a variety of tasks, but the number of plugins does seem to change depending on the platform.  For example, the macOS variant appears to have 10 available plugins, while LightSpy on Android and iOS have 14 and 16 plugins respectively.

In summary, LightSpy is a modular surveillance framework that can be used to steal a variety of data like files and screenshots, or even mobile location data.  It was first documented in 2020 as an iOS implant and is attributed to the APT group TwoSail Junk.  ThreatFabric discovered an apparent macOS variant of LightSpy in January of this year.  LightSpy related files were found on VirusTotal that also connected with WebKit vulnerabilities found in macOS.  Researchers were able to discover more about LightSpy by taking advantage of a misconfiguration in its control panel.

In terms of the attack chain, Infection begins by exploiting the previous mentioned WebKit flaws and downloading a binary payload disguised as a PNG file.  This file then downloads additional payloads for performing privilege escalation and handling various decryption tasks.  An additional script then downloads the LightSpy core, which is responsible for command and control and managing plugins.


[1]: https://www.threatfabric.com/blogs/lightspy-implant-for-macos

[2]: https://www.bleepingcomputer.com/news/security/macos-version-of-elusive-lightspy-spyware-tool-discovered/

[3]: https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/

[4]: https://thehackernews.com/2020/03/iphone-iOS-spyware.html

[5]: https://thehackernews.com/2024/04/chinese-linked-lightspy-ios-spyware.html



Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:


  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!