Lightspy

Threat Actor updated a day ago (2024-11-20T17:37:42.950Z)

Download STIX

Preview STIX

LightSpy is a threat actor known for its sophisticated and malicious activities. It first gained attention in 2022 when it began deploying its namesake spyware, LightSpy, which has since evolved to possess extensive spying capabilities. The group has strategically enhanced its capabilities over time, allowing it to intercept communications and steal data with total stealth, according to Blackberry researchers. A key feature of LightSpy's operation is its modular framework, enabling it to adapt and expand its functionalities as required. The spyware can exfiltrate data from popular applications such as Telegram, QQ, and WeChat, and also access personal documents and media stored on the device. In a renewed espionage campaign targeting South Asia, particularly India, LightSpy has introduced an upgraded version of its Apple iOS spyware. This new version, discovered by ThreatFabric experts in May 2024, supports destructive capabilities that can prevent infected devices from booting up. Notably, this new version had been active in the wild since at least January 2024. The spyware is downloaded via FrameworkLoader, which then installs LightSpy’s core module and the necessary plugins used by the spyware. In addition to its iOS operations, LightSpy has also developed a macOS version of its spyware, further broadening its attack surface. This version supports ten plugins designed to exfiltrate private information from devices, demonstrating the group's persistent efforts to enhance its surveillance capabilities. The discovery of these developments underscores the growing threat posed by LightSpy and the need for constant vigilance and robust cybersecurity measures.

Description last updated: 2024-11-15T16:09:40.426Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT41 is a possible alias for Lightspy. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	3
Wicked Panda is a possible alias for Lightspy. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity Coordinati	2
DragonEgg is a possible alias for Lightspy. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ios

Malware

Implant

State Sponso...

Macos

Apt

Spyware

Threatfabric

Exploit

Android

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Lightspy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	21 hours ago	China-linked actor's malware DeepData exploits FortiClient VPN zero-day - Security Affairs
Securityaffairs	20 days ago	New LightSpy spyware version targets iPhones with destructive capabilities
DARKReading	7 days ago	Toolkit Vastly Expands APT41's Surveillance Powers
InfoSecurity-magazine	23 days ago	New LightSpy Spyware Targets iOS with Enhanced Capabilities
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 474 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Experts found a macOS version of the sophisticated LightSpy spyware
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint	7 months ago	29th April – Threat Intelligence Report - Check Point Research
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 468 by Pierluigi Paganini – INTERNATIONAL EDITION