{ "id": "94b4fd8a-d52d-464b-9800-a04d4c6b0377", "created_at": "2026-04-06T00:13:48.168792Z", "updated_at": "2026-04-10T03:34:41.551074Z", "deleted_at": null, "sha1_hash": "670f38e1db377b5468499256bd0889d01e912891", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58148, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:41:20 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool lightSpy\n Tool: lightSpy\nNames lightSpy\nCategory Malware\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) The iOS malware, which we named 'lightSpy' (detected by Trend Micro\nas IOS_LightSpy.A), is a modular backdoor that allowed the attacker to remotely\nexecute a shell command and manipulate files on the infected device. It is also\nimplemented with several functionalities through different modules for exfiltrating data\nfrom the infected device including:\n• Hardware information\n• Contacts\n• Keychain\n• SMS messages\n• Phone call history\n• GPS location\n• Connected Wi-Fi history\n• Browser history of Safari and Chrome\nThe malware also reports the surrounding environment of the device by:\n• Scanning local network IP address\n• Scanning available Wi-Fi network\nThe campaign also employs modules specifically designed to exfiltrate data from\npopular messenger applications such as QQ, WeChat, and Telegram.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c9d4f77-ee82-4452-b187-84072275951e\nPage 1 of 2\n\n\u003chttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\u003e\r\n\u003chttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\u003e\r\n\u003chttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\u003e\r\n\u003chttps://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign\u003e\r\n\u003chttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1185\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy\u003e\r\nLast change to this tool card: 28 June 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool lightSpy\r\nChanged Name Country Observed\r\nAPT groups\r\n  Operation Poisoned News, TwoSail Junk 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c9d4f77-ee82-4452-b187-84072275951e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c9d4f77-ee82-4452-b187-84072275951e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c9d4f77-ee82-4452-b187-84072275951e" ], "report_names": [ "listgroups.cgi?u=4c9d4f77-ee82-4452-b187-84072275951e" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747", "created_at": "2023-11-08T02:00:07.166789Z", "updated_at": "2026-04-10T02:00:03.432192Z", "deleted_at": null, "main_name": "TwoSail Junk", "aliases": [ "Operation Poisoned News" ], "source_name": "MISPGALAXY:TwoSail Junk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "741d58a1-0fc0-41a8-9681-106a06c07e61", "created_at": "2022-10-25T16:07:23.983046Z", "updated_at": "2026-04-10T02:00:04.822372Z", "deleted_at": null, "main_name": "Operation Poisoned News", "aliases": [ "Operation Poisoned News", "TwoSail Junk" ], "source_name": "ETDA:Operation Poisoned News", "tools": [ "dmsSpy", "lightSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434428, "ts_updated_at": 1775792081, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/670f38e1db377b5468499256bd0889d01e912891.pdf", "text": "https://archive.orkl.eu/670f38e1db377b5468499256bd0889d01e912891.txt", "img": "https://archive.orkl.eu/670f38e1db377b5468499256bd0889d01e912891.jpg" } }