Known for targeting iOS devices, it has been expanded to include capabilities for compromising device security and stability. ThreatFabric, who discovered the malware, initially published a report on LightSpy for macOS in May 2024. During that investigation, the analysts found that the same server managed both macOS and iOS versions of LightSpy. This discovery allowed ThreatFabric to conduct a new, detailed analysis of the spyware targeting iOS published today, finding notable updates compared to the 2020 version.
See RedSky’s take: https://redskyalliance.org/xindustry/i-spy-lightspy
This latest version, identified as 7.9.0, is more sophisticated and adaptable, featuring 28 plugins compared to the 12 observed in the earlier version. Seven of these plugins are specifically designed to interfere with device functionality, with capabilities that include freezing the device and preventing it from rebooting. The spyware gains initial access by exploiting known vulnerabilities in Safari and escalates privileges using jailbreak techniques, enabling it to access core device functions and data.
To support these malicious activities, ThreatFabric’s analysts identified five active command-and-control (C2) servers linked to the iOS version of LightSpy. They used open-source intelligence methods to trace self-sign certificates across these servers; each set up to manage infected devices and store exfiltrated data. One of the servers appeared to host an administrator panel, hinting that this infrastructure may also be used for demonstration purposes, potentially showcasing LightSpy’s capabilities to outside parties.
Analysis of the C2 logs showed 15 infected devices, of which eight were iOS. Most of these devices appeared to originate from China or Hong Kong, often connecting through a Wi-Fi network labeled Haso_618_5G, which researchers suspect is a test network.
ThreatFabric’s investigation also found that LightSpy contains a unique plugin for recalculating location data specifically for Chinese systems, suggesting that the spyware’s developers may be based in China. Given “1-day exploits,” LightSpy’s operators take advantage of vulnerabilities soon after they are publicly disclosed.
ThreatFabric recommends that iOS users reboot devices regularly, as LightSpy’s reliance on a “rootless jailbreak” means infections do not survive a reboot, offering users a simple but effective means to disrupt persistent spyware infections.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments