{ "id": "86e62225-c5bb-4813-b3f8-52c887269987", "created_at": "2026-04-06T00:18:34.793625Z", "updated_at": "2026-04-10T13:12:32.863761Z", "deleted_at": null, "sha1_hash": "21a6f9940acf053735cf3d69eb81193ae87d66e1", "title": "Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links - RedPacket Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 162804, "plain_text": "Operation Poisoned News: Hong Kong Users Targeted With\r\nMobile Malware via Local News Links - RedPacket Security\r\nBy March 22, 2026\r\nPublished: 2020-03-26 · Archived: 2026-04-05 14:16:46 UTC\r\nBy Elliot Cao, Joseph C. Chen, William Gamazo Sanchez, Lilang Wu, and Ecular Xu\r\nA recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links\r\nposted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual\r\nnews sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits\r\nthat target vulnerabilities present in iOS 12.1 and 12.2. Users that click on these links with at-risk devices will\r\ndownload a new iOS malware variant, which we have called lightSpy (detected as IOS_LightSpy.A).\r\nThe malware variant is a modular backdoor that allows the threat actor to remotely execute shell command and\r\nmanipulate files on the affected device. This would an allow an attacker to spy on a user’s device, as well as take\r\nfull control of it. It contains different modules for exfiltrating data from the infected device, which includes:\r\nConnected WiFi history\r\nContacts\r\nGPS location\r\nHardware information\r\niOS keychain\r\nPhone call history\r\nSafari and Chrome browser history\r\nSMS messages\r\nInformation about the user’s network environment is also exfiltrated from the target device:\r\nAvailable WiFi network\r\nLocal network IP addresses\r\nMessenger applications are also specifically targeted for data exfiltration. Among the apps specifically targeted\r\nare:\r\nTelegram\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 1 of 12\n\nQQ\r\nWeChat\r\nOur research also uncovered a similar campaign aimed at Android devices in 2019. Links to malicious .APK files\r\nwere found on various public Hong Kong-related Telegram channels. These messages claimed they were for\r\nvarious legitimate apps, but they led to malicious apps that could exfiltrate device information, contacts, and SMS\r\nmessages. We called this Android malware family dmsSpy (variants of of dmsSpy are detected as\r\nAndroidOS_dmsSpy.A.).\r\nThe design and functionality of operation suggests that the campaign isn’t meant to target victims, but aims to\r\ncompromise as many mobile devices as possible for device backdooring and surveillance. We named the\r\ncampaign Operation Poisoned News based on its distribution methods.\r\nThis blog post provides a high-level overview of the capabilities of both lightSpy and dmsSpy, as well as their\r\ndistribution methods. Further technical details, including indicators of compromise (IoCs), are contained in the\r\nrelated technical brief.\r\nDistribution: Poisoned News and Watering Holes\r\nOn February 19, we identified a watering hole attack targeting iOS users. The URLs used led to a malicious\r\nwebsite created by the attacker, which in turn contained three iframes that pointed to different sites. The only\r\nvisible iframe leads to a legitimate news site, which makes people believe they are visiting the said site. One\r\ninvisible iframe was used for website analytics; the other led to a site hosting the main script of the iOS exploits.\r\nThe screenshot below shows the code of these three iframes:\r\nFigure 1. HTML code of malicious website, with three iframes\r\nLinks to these malicious sites were posted on four different forums, all known to be popular with Hong Kong\r\nresidents. These forums also provide their users with an app, so that their readers can easily visit it on their mobile\r\ndevices. Poisoned News posted its links in the general discussion sections of the said forums. The post would\r\ninclude the headline of a given news story, any accompanying images, and the (fake) link to the news site.\r\nThe articles were posted by newly registered accounts on the forums in question, which leads us to believe that\r\nthese posts were not made by users resharing links that they thought were legitimate. The topics used as lures were\r\neither sex-related, clickbait-type headlines, or news related to the COVID-19 disease. We do not believe that these\r\ntopics were targeted at any users specifically; instead they targeted the users of the sites as a whole.\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 2 of 12\n\nFigure 2. List of news topics posted by the campaign\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 3 of 12\n\nFigure 3. Forum post with the link to malicious site\r\nAside from the above technique, we also saw a second type of watering hole website. In these cases, a legitimate\r\nsite was copied and injected with a malicious iframe. Our telemetry indicates that the distribution of links to this\r\ntype of watering hole in Hong Kong started on January 2. However, we do not know where these links were\r\ndistributed.\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 4 of 12\n\nFigure 4. Copied news page with iframe with malicious exploit\r\nThese attacks continued into March 20, with forum posts that supposedly linked to a schedule for protests in Hong\r\nKong. The link would instead lead to the same infection chain as in the earlier cases.\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 5 of 12\n\nFigure 5. Link to malicious site claiming to be a schedule\r\nInfection Chain\r\nThe exploit used in this attack affects iOS 12.1 and 12.2. It targets a variety of iPhone models, from the iPhone 6S\r\nup to the iPhone X, as seen in the code snippet below:\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 6 of 12\n\nFigure 6. Code checking for target devices\r\nThe full exploit chain involves a silently patched Safari bug (which works on multiple recent iOS versions) and a\r\ncustomized kernel exploit. Once the Safari browser renders the exploit, it targets a bug (which Apple silently\r\npatched in newer iOS versions), leading to the exploitation of a known kernel vulnerability to gain root privileges.\r\nThe kernel bug is connected to CVE-2019-8605. The silently patched Safari bug does not have an associated\r\nCVE, although other researchers mentioned a history of failed patches related to this particular issue.\r\nOnce the device is compromised, the attacker installs an undocumented and sophisticated spyware for maintaining\r\ncontrol over the device and exfiltrate information. The spyware used a modular design with multiple capabilities,\r\nincluding the following:\r\nModules update\r\nRemote command dispatch per module\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 7 of 12\n\nComplete shell command module\r\nMany of this spyware’s modules were designed explicitly for data exfiltration; for example, modules that steal\r\ninformation from Telegram and Wechat are both included. The figure below shows the infection chain and the\r\nvarious modules it uses.\r\nFigure 7. Diagram of lightSpy’s infection chain\r\nWe chose to give this new threat the name lightSpy, from the name of the module manager, which is light. We also\r\nnote that a decoded configuration file that the launchctl module uses includes a URL that points to\r\na /androidmm/light location, which suggests that an Android version of this threat exists as well.\r\nOne more note: The file payload.dylib is signed with the legitimate Apple developer certificate, and was only done\r\nso on November 29, 2019. This places a definite timestamp on the start of this campaign’s activity.\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 8 of 12\n\nOverview of Malicious Behavior of lightSpy\r\nThis section of the blog post provides a short overview of lightSpy and its associated payloads (space constraints\r\nlimit the details we can provide). However, we provided more technical details in the technical brief.\r\nWhen the kernel exploit is triggered, payload.dylib proceeds to download multiple modules, as seen in the code\r\nbelow:\r\nFigure 8. Downloaded modules\r\nSome of these modules are associated with startup and loading. For example, launchctl is a tool used to load or\r\nunload daemons/agents, and it does this using ircbin.plist as an argument. This daemon, in turn,\r\nexecutes irc_loader, but (as the name implies) it is just a loader for the main malware module, light. It does,\r\nhowever, contain the hardcoded location of the C\u0026C server.\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 9 of 12\n\nThe light module serves as the main control for the malware, and is capable of loading and updating the other\r\nmodules. The remaining modules are designed to extract and exfiltrate different types of data, as seen in the\r\nfollowing list:\r\ndylib – acquires and uploads basic information such as iPhone hardware information, contacts, text\r\nmessages, and call history\r\nShellCommandaaa – executes shell commands on the affected device; any results are serialized and\r\nuploaded to a specified server\r\nKeyChain – steals and uploads information contained in the Apple KeyChain\r\nScreenaaa – scans for and pings devices on the same network subnet as the affected device; the ping’s\r\nresults are uploaded to the attackers\r\nSoftInfoaaa – acquires the list of apps and processes on the device\r\nFileManage – performs file system operations on the device\r\nWifiList – acquires the saved Wi-Fi information (saved networks, history, etc.).\r\nbrowser – acquires the browser history from both Chrome and Safari.\r\nLocationaaa – gets the user’s location.\r\nios_wechat – acquires information related to WeChat, including: account information, contacts, groups,\r\nmessages, and files.\r\nios_qq – similar to the ios_wechatmodule, but for QQ.\r\nios_telegram – similar to the previous two modules, but for Telegram.\r\nTaken together, this threat allows the threat actor to thoroughly compromise an affected device and acquire much\r\nof what a user would consider confidential information. Several chat apps popular in the Hong Kong market were\r\nparticularly targeted here, suggesting that these were the threat actor’s goals.\r\nOverview of dmsSpy\r\nAs noted earlier in this blog post, there is an Android counterpart to lightSpy which we have called dmsSpy. These\r\nvariants were distributed in public Telegram channels disguised as various apps in 2019. While the links were\r\nalready invalid during our research, we were able to obtain a sample of one of the variants.\r\nOur sample was advertised as a calendar app containing protest schedules in Hong Kong. It contains many\r\nfeatures that we frequently see in malicious apps, such as requests for sensitive permissions, and the transmission\r\nof sensitive information to a C\u0026C server. This includes seemingly safe information such as the device model used,\r\nbut includes more sensitive information such as contacts, text messages, the user’s location, and the names of\r\nstored files. dmsSpy also registers a receiver for reading newly received SMS messages, as well as dialing USSD\r\ncodes.\r\nWe were able to obtain more information about dmsSpy because the threat actors behind it erroneously left the\r\ndebug mode of their web framework activated. This allowed us a peek of the APIs used by the server. It suggest\r\nfurther capabilities we did not see in our sample, including screenshots and the ability to install APK files onto the\r\ndevice.\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 10 of 12\n\nFigure 9. List of leaked APIs from web framework\r\nWe believe that these attacks are related. dmsSpy’s download and command-and-control servers used the same\r\ndomain name (hkrevolution[.]club) as one of the watering holes used by the iOS component of Poisoned News.\r\n(They did use differing subdomains, however). As a result, we believe that this particular Android threat is\r\noperated by the same group of threat actors, and is connected to, Poisoned News.\r\nVendor statements\r\nWe reached out to the various vendors mentioned in this blog post. Tencent had this to say:\r\nThis report by Trend Micro is a great reminder of why it’s important to keep the operating system on\r\ncomputers and mobile devices up to date. The vulnerabilities documented in the report, which affected\r\nthe Safari web browser in iOS 12.1 and 12.2, were fixed in subsequent updates to iOS.\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 11 of 12\n\nA very tiny percentage of our WeChat and QQ users were still running the older versions of iOS that\r\ncontained the vulnerability. We have already issued a reminder to these users to update their devices to\r\nthe latest version of iOS as soon as possible.\r\nTencent takes data security extremely seriously and will continue to strive to ensure that our products\r\nand services are built on robust, secure platforms designed to keep user data safe.\r\nApple has also been notified of this research through Trend Micro’s Zero Day Initiative (ZDI). We also reached\r\nout to Telegram on our findings and have not received a response at the time of publication.\r\nBest practices and solutions\r\nSeveral steps could have been taken by users to mitigate against this threat. For iOS users, the most important\r\nwould be to keep their iOS version updated. Updates that would have resolved this problem have been available\r\nfor more than a year, meaning that a user who had kept their device on the latest update would have been safe\r\nfrom the vulnerability that this threat exploits.\r\nFor Android users, the samples we obtained were distributed via links in Telegram channels, outside of the Google\r\nPlay store. We strongly recommend that users avoid installing apps from outside trusted app stores, as apps\r\ndistributed in this manner are frequently laden with malicious code.\r\nUsers can also install security solutions, such as the Trend Micro Mobile Security for iOS and Trend Micro\r\nMobile Security for Android (also available on Google Play) solutions, that can block malicious apps. End users\r\ncan also benefit from their multilayered security capabilities that secure the device owner’s data and privacy, and\r\nfeatures that protect them from ransomware, fraudulent websites, and identity theft.\r\nFor organizations, the Trend Micro Mobile Security for Enterprise suite provides device, compliance and\r\napplication management, data protection, and configuration provisioning. The suite also protects devices from\r\nattacks that exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and\r\nfraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using\r\nleading sandbox and machine learning technologies to protect users against malware, zero-day and known\r\nexploits, privacy leaks, and application vulnerability.\r\nIndicators of compromise and full technical details of this attack may be found in the accompanying technical\r\nbrief.\r\nThe post Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links\r\nappeared first on .\r\nSource: https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?ut\r\nm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-li\r\nnks\r\nhttps://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links" ], "report_names": [ "?utm_source=rss\u0026utm_medium=rss\u0026utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747", "created_at": "2023-11-08T02:00:07.166789Z", "updated_at": "2026-04-10T02:00:03.432192Z", "deleted_at": null, "main_name": "TwoSail Junk", "aliases": [ "Operation Poisoned News" ], "source_name": "MISPGALAXY:TwoSail Junk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "741d58a1-0fc0-41a8-9681-106a06c07e61", "created_at": "2022-10-25T16:07:23.983046Z", "updated_at": "2026-04-10T02:00:04.822372Z", "deleted_at": null, "main_name": "Operation Poisoned News", "aliases": [ "Operation Poisoned News", "TwoSail Junk" ], "source_name": "ETDA:Operation Poisoned News", "tools": [ "dmsSpy", "lightSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21a6f9940acf053735cf3d69eb81193ae87d66e1.pdf", "text": "https://archive.orkl.eu/21a6f9940acf053735cf3d69eb81193ae87d66e1.txt", "img": "https://archive.orkl.eu/21a6f9940acf053735cf3d69eb81193ae87d66e1.jpg" } }