{ "id": "57d8e637-afd6-4212-a508-19d381a7507f", "created_at": "2026-04-06T00:06:43.58761Z", "updated_at": "2026-04-10T03:34:41.576843Z", "deleted_at": null, "sha1_hash": "06d6477974ebbc708257372ae3cf697d79e8c0f7", "title": "lightSpy (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46664, "plain_text": "lightSpy (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:56:45 UTC\r\nlightSpy\r\nThere is no description at this point.\r\nReferences\r\n2025-02-20 ⋅ Hunt.io ⋅\r\nLightSpy Expands Command List to Include Social Media Platforms\r\nlightSpy\r\n2024-11-15 ⋅ Volexity ⋅ Callum Roxan, Charlie Gardner, Paul Rascagnères\r\nBrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA\r\nlightSpy LIGHTSPY BH_A006 DEEPDATA DEEPPOST BrazenBamboo\r\n2024-06-06 ⋅ Hunt.io ⋅ Hunt.io\r\nTracking LightSpy: Certificates as Windows into Adversary Behavior\r\nlightSpy\r\n2023-10-02 ⋅ ThreatFabric ⋅ ThreatFabric\r\nLightSpy mAPT Mobile Payment System Attack\r\nDragonEgg WyrmSpy lightSpy\r\n2020-03-26 ⋅ Kaspersky Labs ⋅ Alexey Firsh, Brian Bartholomew, Kurt Baumgartner\r\niOS exploit chain deploys LightSpy feature-rich malware\r\ndmsSpy lightSpy TwoSail Junk\r\n2020-03-24 ⋅ Trend Micro ⋅ Ecular Xu, Elliot Cao, Joseph Chen, Lilang Wu, William Gamazo Sanchez\r\nOperation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links\r\ndmsSpy lightSpy\r\n2020-03-24 ⋅ Trend Micro ⋅ Ecular Xu, Elliot Cao, Joseph Chen, Lilang Wu, William Gamazo Sanchez\r\nTechnical Brief: Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News\r\nLinks\r\ndmsSpy lightSpy\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy\r\nPage 1 of 2\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy" ], "report_names": [ "ios.lightspy" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "24d5f393-f5c7-41a3-8d8f-2f9129a2925e", "created_at": "2024-11-20T02:00:03.66537Z", "updated_at": "2026-04-10T02:00:03.776928Z", "deleted_at": null, "main_name": "BrazenBamboo", "aliases": [], "source_name": "MISPGALAXY:BrazenBamboo", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747", "created_at": "2023-11-08T02:00:07.166789Z", "updated_at": "2026-04-10T02:00:03.432192Z", "deleted_at": null, "main_name": "TwoSail Junk", "aliases": [ "Operation Poisoned News" ], "source_name": "MISPGALAXY:TwoSail Junk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "741d58a1-0fc0-41a8-9681-106a06c07e61", "created_at": "2022-10-25T16:07:23.983046Z", "updated_at": "2026-04-10T02:00:04.822372Z", "deleted_at": null, "main_name": "Operation Poisoned News", "aliases": [ "Operation Poisoned News", "TwoSail Junk" ], "source_name": "ETDA:Operation Poisoned News", "tools": [ "dmsSpy", "lightSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434003, "ts_updated_at": 1775792081, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06d6477974ebbc708257372ae3cf697d79e8c0f7.pdf", "text": "https://archive.orkl.eu/06d6477974ebbc708257372ae3cf697d79e8c0f7.txt", "img": "https://archive.orkl.eu/06d6477974ebbc708257372ae3cf697d79e8c0f7.jpg" } }