Security researchers say a previously considered iOS implant is actually a new macOS version. In April 2024, Blackberry reported the resurgence of the LightSpy mobile espionage campaign in Southern Asia and probably India, calling it an iOS implant.Â
It showed advanced techniques such as certificate pinning to keep communication with its C2 server undetected and expanded capabilities, which include file theft from various apps like Telegram, QQ, or WeChat, audio recording, data harvesting, and system access.
Later that month, Huntress researchers discovered that it was a macOS variant of the LightSpy malware, showing macOS users could’ve been targeted. Yet, the researcher concluded that the analyzed sample only runs on Intel macOS or Apple Silicon devices that have Rosetta 2 enabled.
LightSpy became known due to an iOS version discovered in 2020, and even though the macOS version has many similarities, the latter seems to be more organized overall and exhibits significantly improved operational security and more matured development practices, as per Huntress.
To this research, ThreatFabric added more details of their own. The yet unknown threat group delivered implants for macOS via two publicly available exploits (CVE-2018-4233, CVE-2018-4404) targeting version 10 and supported 10 plugins to exfiltrate private data from affected systems.
LightSpy is a complex, fully-featured modular surveillance toolset that primarily focuses on stealing victims’ private information, turning the infected device into a powerful spying tool. It can exfiltrate device information, saved files, hyper-specific GPS data, sound recording during VOIP calls, WeChat Pay payment history, as well as phone contacts, SMSs, call history, connected WiFi history, and Safari and Chrome browser history.