Pierluigi Paganini
February 26, 2025
Cybersecurity researchers at Hunt.io have found an updated version of the LightSpy spyware that supports an expanded set of data collection features to target social media platforms like Facebook and Instagram.
ThreatFabric researchers first discovered a macOS version of LightSpy spyware in May 2024, the threat has been active in the wild since at least January 2024. ThreatFabric observed threat actors using two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver macOS implants. The experts noticed that a portion of the CVE-2018-4404 exploit is likely borrowed from the Metasploit framework.
The initial macOS version of LightSpy supported 10 plugins to exfiltrate private information from devices.
LightSpy is a modular spyware that resurfaced in November 2024, after several months of inactivity, the new version supports a modular framework with extensive spying capabilities.
LightSpy can steal files from multiple popular applications like Telegram, QQ, and WeChat, as well as personal documents and media stored on the device. It can also record audio and harvest a wide array of data, including browser history, WiFi connection lists, installed application details, and even images captured by the device’s camera. The malware also grants attackers access to the device’s system, enabling them to retrieve user KeyChain data, device lists, and execute shell commands, potentially gaining full control over the device.. The updated iOS version (7.9.0) has expanded plugins—up from 12 to 28—including seven that disrupt device booting. The report covers the new features and plugin capabilities of this spyware.
ThreatFabric experts reported that the new, enhanced version of Apple iOS spyware LightSpy was supporting new functionalities, including destructive capabilities to prevent the infected device from booting up. The updated iOS version (7.9.0) expanded plugins from 12 up to 28, including seven that disrupt device booting.
The researchers noticed code similarities between the macOS and iOS versions, likely because both versions were designed by the same development team.
The delivery method for the iOS implant is similar to that of the macOS version, but the two versions rely on different post-exploitation and privilege escalation stages.
The new version discovered by Hunt.io supports data extraction features to target Facebook and Instagram application database files.
A recent analysis of LightSpy servers reveals expanded command capabilities, growing from 55 to over 100 commands across multiple platforms, including mobile and desktop.
“The new command list shifts focus from direct data collection to broader operational control, including transmission management (“传输控制”) and plugin version tracking (“上传插件版本详细信息”).” reads the report published by Hunt.io. “These additions suggest a more flexible and adaptable framework, allowing LightSpy operators to manage deployments more efficiently across multiple platforms.”
LightSpy now targets social media platforms like Facebook and Instagram from Android, extracting messages, contacts, and metadata, enhancing surveillance and exploitation potential.
“This is the first reference we are aware of Facebook and Instagram database targeting within LightSpy’s command structure. Additionally, the list references “Enigma,” which may correspond to the secure messaging platform of the same name.” Hunt.io added.
The experts also noticed that LightSpy’s operator now removes destructive iOS plugins, and supports 15 Windows plugins for keylogging and audio recording.
The researchers identified LightSpy’s admin panels, hosted on multiple IPs, feature unique endpoints for login, remote access, and device management, revealing insights into its infrastructure.
Hunt.io found an endpoint (“/phone/phoneinfo”) in LightSpy’s admin panel that allows remote control of infected devices, though its novelty remains unclear.
Researchers shared Indicators of Compromise (IoCs) for this threat, they will continue refining tracking methods to detect new LightSpy C2 servers as they emerge.
“LightSpy’s infrastructure reveals previously unreported components and administrative functionality, though it remains unclear whether these represent new developments or older versions not publicly documented. Command set modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and surveillance approach across multiple platforms.” concludes the report. “The exposure of admin panel authentication endpoints provides insight into how operators manage compromised systems and suggests that aspects of LightSpy’s infrastructure may be monitored or tracked through behavioral analysis of authentication flows. Understanding how these endpoints function helps profile operational patterns and uncover related infrastructure.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LightSpy spyware)
