{ "id": "72900f26-bb9d-4c4a-b1d2-a1470ebf8041", "created_at": "2026-04-06T03:36:38.912956Z", "updated_at": "2026-04-10T03:34:41.553004Z", "deleted_at": null, "sha1_hash": "70c8c187f3ec6aef60cd3daebad232a3290fbfbf", "title": "LightSpy Malware Variant Targeting macOS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5903310, "plain_text": "LightSpy Malware Variant Targeting macOS\r\nBy Stuart Ashenbrenner, Alden Schmidt\r\nPublished: 2024-04-25 · Archived: 2026-04-06 03:24:28 UTC\r\nOn April 11, 2024, BlackBerry released a new blog detailing a new VirusTotal upload of the LightSpy mobile\r\nspyware framework. BlackBerry stated that this malware was an iOS implant, yet Huntress researchers discovered\r\nthat, although the uploaded samples appear novel, they aren’t actually targeting iOS at all. Instead, what was\r\nobserved is a macOS variant of the LightSpy malware, which hasn’t been previously reported. This new capability\r\ndemonstrates that in addition to the iOS and Android, macOS users could’ve been targeted.\r\nBased on BlackBerry’s report, several large publications including Forbes, HackerNews, and Mashable, reported\r\nthat the sample uploaded is an active and dangerous iOS threat. This is incorrect, as the sample BlackBerry\r\nanalyzed will only run on Intel macOS devices, or Apple Silicon devices with Rosetta 2 enabled.\r\nThe publications also stated that this was a likely catalyst for Apple sending out “spyware attack alerts.” We’ve\r\nassessed that, due to Apple’s most recent support article, About Apple threat notifications and protecting against\r\nmercenary spyware, Apple is referring to the more recent and sophisticated Pegasus spyware from NSO Group. \r\nIt’s also important to note that while we were able to find the Android version of this malware on the same C2 as\r\nthe macOS version, it doesn't appear the iOS version is also present. In this article, we'll only be focusing on the\r\nmacOS implant. For more information of the Android version (also known as WyrmSpy), please see this report by\r\nthe ThreatFabric team.\r\nIn addition to our analysis, we’re providing YARA and Sigma rules which can be used freely to detect potential\r\nusage of the macOS LightSpy variant. The text in all images or terminal screenshots are also available in the\r\nGitHub repository.\r\nThanks to researchers at TrendMicro, Kaspersky, and ThreatFabric for their prior work on the LightSpy\r\nframework, their contributions were incredibly helpful in our research.\r\nTechnical Analysis\r\nConfirming macOS Targeting\r\nWhile there is a variant of LightSpy that affects Apple’s mobile devices like iPhone, this sample notably only\r\ntargets the macOS platform. There are a number of factors which support this, but the largest is that these binaries\r\nare all compiled for the x86_64 architecture, ruling out iPhones based on the ARM architecture. This can be\r\nconfirmed by running the file command against the macOS and iOS samples.\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 1 of 30\n\nIn both cases, the structure of the implant is the same. A dropper, which loads a series of dynamically loaded\r\nmodules (dylibs), similar to DLLs on Windows, that contain most of the malicious capabilities.\r\nDifferences from iOS Version\r\nWhat made LightSpy famous was an iOS version discovered in 2020, covered by both Kaspersky and\r\nTrendMicro. While there are a large number of similarities between the two, there are a few interesting differences\r\nthat provide some new insight into the organization behind the framework as well as their targeting.\r\nGenerally, the macOS version seems to be more refined than the iOS version. The operational security (opsec) is\r\nsignificantly improved, the development practices seem more mature, and things are generally more organized. A\r\nquick example is that iOS version stores its C2 information in plain text:\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 2 of 30\n\nFigure 2: iOS LightSpy Downloading Plugins\r\nThe macOS version solves this problem by using a plugin manifest, which provides more flexibility for updating\r\nplugins down the road in addition to lower static detections. Despite the various improvements, LightSpy still\r\nleaves plenty on the table when it comes to anti-analysis.\r\nAll of the binaries for both macOS and iOS contain plenty of developer artifacts. Looking specifically for file\r\npaths, we can extract a decent picture of how this malware was organized. \r\nThere are two hosts that seem to have been involved in development of LightSpy: mac and air. Obviously, there's\r\nno way to confirm that there weren’t multiple development hosts with the same username, but this still helps in\r\nunderstanding the organization of the framework.\r\n├── Users\r\n│ ├── air\r\n│ │ ├── Library\r\n│ │ │ ├──\r\n│ │ │ │ └──\r\n│ │ ├── work\r\n│ │ │ ├── F_Warehouse\r\n│ │ │ │ ├── mac\r\n│ │ │ │ │ ├──\r\n│ │ │ │ │ │ └──\r\n│ │ │ │ │ ├── frame\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 3 of 30\n\n│ │ │ │ │ │ ├── framework\r\n│ │ │ │ │ │ │ ├── framework\r\n│ │ │ │ │ │ │ │ ├── A.m\r\n│ │ │ │ │ │ │ │ │ └── A.m\r\n│ │ │ │ │ │ │ │ ├── AsyncDataTask.m\r\n│ │ │ │ │ │ │ │ │ └── AsyncDataTask.m\r\n│ │ │ │ │ │ │ │ ├── AsyncFileTask.m\r\n│ │ │ │ │ │ │ │ │ └── AsyncFileTask.m\r\n│ │ │ │ │ │ │ │ ├── AsyncTextTask.m\r\n│ │ │ │ │ │ │ │ │ └── AsyncTextTask.m\r\n│ │ │ │ │ │ │ │ ├── CmdThread.m\r\n│ │ │ │ │ │ │ │ │ └── CmdThread.m\r\n│ │ │ │ │ │ │ │ ├── Common\r\n│ │ │ │ │ │ │ │ │ ├── DeviceID.m\r\n│ │ │ │ │ │ │ │ │ │ └── DeviceID.m\r\n│ │ │ │ │ │ │ │ │ ├── DeviceInformation.m\r\n│ │ │ │ │ │ │ │ │ │ └── DeviceInformation.m\r\n│ │ │ │ │ │ │ │ │ ├── LightLog.m\r\n│ │ │ │ │ │ │ │ │ │ └── LightLog.m\r\n│ │ │ │ │ │ │ │ ├── DormantControl.m\r\n│ │ │ │ │ │ │ │ │ └── DormantControl.m\r\n│ │ │ │ │ │ │ │ ├── NetWork\r\n│ │ │ │ │ │ │ │ │ ├── HttpManager.mm\r\n│ │ │ │ │ │ │ │ │ │ └── HttpManager.mm\r\n│ │ │ │ │ │ │ │ │ ├── SocketRocketUtility.m\r\n│ │ │ │ │ │ │ │ │ │ └── SocketRocketUtility.m\r\n│ │ │ │ │ │ │ │ ├── PermissionInfo.m\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 4 of 30\n\n│ │ │ │ │ │ │ │ │ └── PermissionInfo.m\r\n│ │ │ │ │ │ │ │ ├── Plugin\r\n│ │ │ │ │ │ │ │ │ ├── PluginAdapter.m\r\n│ │ │ │ │ │ │ │ │ │ └── PluginAdapter.m\r\n│ │ │ │ │ │ │ │ ├── SocketRocket\r\n│ │ │ │ │ │ │ │ │ ├── Internal\r\n│ │ │ │ │ │ │ │ │ │ ├── IOConsumer\r\n│ │ │ │ │ │ │ │ │ │ │ ├── SRIOConsumer.m\r\n│ │ │ │ │ │ │ │ │ │ │ │ └── SRIOConsumer.m\r\n│ │ │ │ │ │ │ │ │ │ ├── RunLoop\r\n│ │ │ │ │ │ │ │ │ │ │ ├── SRRunLoopThread.m\r\n│ │ │ │ │ │ │ │ │ │ │ │ └── SRRunLoopThread.m\r\n│ │ │ │ │ │ │ │ │ ├── SRWebSocket.m\r\n│ │ │ │ │ │ │ │ │ │ └── SRWebSocket.m\r\n│ │ │ │ │ │ │ │ ├── SyncTextTask.m\r\n│ │ │ │ │ │ │ │ │ └── SyncTextTask.m\r\n│ │ │ │ │ │ │ │ ├── database\r\n│ │ │ │ │ │ │ │ │ ├── Db.m\r\n│ │ │ │ │ │ │ │ │ │ └── Db.m\r\n│ │ │ │ │ │ │ │ │ ├── DbCommandPlan.m\r\n│ │ │ │ │ │ │ │ │ │ └── DbCommandPlan.m\r\n│ │ │ │ │ │ │ │ │ ├── DbCommandRecord.m\r\n│ │ │ │ │ │ │ │ │ │ └── DbCommandRecord.m\r\n│ │ │ │ │ │ │ │ │ ├── DbConfig.m\r\n│ │ │ │ │ │ │ │ │ │ └── DbConfig.m\r\n│ │ │ │ │ │ │ │ │ ├── DbDormantControl.m\r\n│ │ │ │ │ │ │ │ │ │ └── DbDormantControl.m\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 5 of 30\n\n│ │ │ │ │ │ │ │ │ ├── DbPlugin.m\r\n│ │ │ │ │ │ │ │ │ │ └── DbPlugin.m\r\n│ │ │ │ │ │ │ │ │ ├── DbTransportControl.m\r\n│ │ │ │ │ │ │ │ │ │ └── DbTransportControl.m\r\n│ │ │ │ │ │ │ │ ├── fmdb\r\n│ │ │ │ │ │ │ │ │ ├── FMDatabase.m\r\n│ │ │ │ │ │ │ │ │ │ └── FMDatabase.m\r\n│ │ │ │ │ │ │ │ │ ├── FMDatabaseAdditions.m\r\n│ │ │ │ │ │ │ │ │ │ └── FMDatabaseAdditions.m\r\n│ │ │ │ │ │ │ │ │ ├── FMDatabaseQueue.m\r\n│ │ │ │ │ │ │ │ │ │ └── FMDatabaseQueue.m\r\n│ │ │ │ │ │ │ │ ├── framework.m\r\n│ │ │ │ │ │ │ │ │ └── framework.m\r\n│ │ │ │ │ │ │ │ ├── tool\r\n│ │ │ │ │ │ │ │ │ ├── NSArray+Service.m\r\n│ │ │ │ │ │ │ │ │ │ └── NSArray+Service.m\r\n│ │ │ │ │ │ │ │ │ ├── NSDictionary+Service.m\r\n│ │ │ │ │ │ │ │ │ │ └── NSDictionary+Service.m\r\n│ │ │ │ │ │ │ │ │ ├── NSString+Service.m\r\n│ │ │ │ │ │ │ │ │ │ └── NSString+Service.m\r\n│ │ │ │ │ ├── new_plugins\r\n│ │ │ │ │ │ ├── AudioRecorder\r\n│ │ │ │ │ │ │ ├── AudioRecorder\r\n│ │ │ │ │ │ │ │ ├── AudioRecorder.m\r\n│ │ │ │ │ │ │ │ │ └── AudioRecorder.m\r\n│ │ │ │ │ │ │ │ ├── utils\r\n│ │ │ │ │ │ │ │ │ ├── Utils.m\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 6 of 30\n\n│ │ │ │ │ │ │ │ │ │ └── Utils.m\r\n│ │ │ │ │ │ ├── BrowserHistory\r\n│ │ │ │ │ │ │ ├── BrowserHistory\r\n│ │ │ │ │ │ │ │ ├── BrowserHistory.m\r\n│ │ │ │ │ │ │ │ │ └── BrowserHistory.m\r\n│ │ │ │ │ │ │ │ ├── utils\r\n│ │ │ │ │ │ │ │ │ ├── Utils.m\r\n│ │ │ │ │ │ │ │ │ │ └── Utils.m\r\n│ │ │ │ │ │ ├── CameraShot\r\n│ │ │ │ │ │ │ ├── CameraShot\r\n│ │ │ │ │ │ │ │ ├── CameraShot.m\r\n│ │ │ │ │ │ │ │ │ └── CameraShot.m\r\n│ │ │ │ │ │ │ │ ├── utils\r\n│ │ │ │ │ │ │ │ │ ├── Utils.m\r\n│ │ │ │ │ │ │ │ │ │ └── Utils.m\r\n│ │ │ │ │ │ ├── FileManage\r\n│ │ │ │ │ │ │ ├── FileManage\r\n│ │ │ │ │ │ │ │ ├── FileManage.m\r\n│ │ │ │ │ │ │ │ │ └── FileManage.m\r\n│ │ │ │ │ │ ├── KeyChains\r\n│ │ │ │ │ │ │ ├── KeyChains\r\n│ │ │ │ │ │ │ │ ├── KeyChains.m\r\n│ │ │ │ │ │ │ │ │ └── KeyChains.m\r\n│ │ │ │ │ │ │ │ ├── utils\r\n│ │ │ │ │ │ │ │ │ ├── Utils.m\r\n│ │ │ │ │ │ │ │ │ │ └── Utils.m\r\n│ │ │ │ │ │ ├── LanDevices\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 7 of 30\n\n│ │ │ │ │ │ │ ├── LanDevices\r\n│ │ │ │ │ │ │ │ ├── LanDevices.m\r\n│ │ │ │ │ │ │ │ │ └── LanDevices.m\r\n│ │ │ │ │ │ │ │ ├── libs\r\n│ │ │ │ │ │ │ │ │ ├── SimplePing.m\r\n│ │ │ │ │ │ │ │ │ │ └── SimplePing.m\r\n│ │ │ │ │ │ │ │ ├── utils\r\n│ │ │ │ │ │ │ │ │ ├── Utils.m\r\n│ │ │ │ │ │ │ │ │ │ └── Utils.m\r\n│ │ │ │ │ │ ├── ProcessAndApp\r\n│ │ │ │ │ │ │ ├── ProcessAndApp\r\n│ │ │ │ │ │ │ │ ├── ProcessAndApp.m\r\n│ │ │ │ │ │ │ │ │ └── ProcessAndApp.m\r\n│ │ │ │ │ │ │ │ ├── utils\r\n│ │ │ │ │ │ │ │ │ ├── Utils.m\r\n│ │ │ │ │ │ │ │ │ │ └── Utils.m\r\n│ │ │ │ │ │ ├── ShellCommand\r\n│ │ │ │ │ │ │ ├── ShellCommand\r\n│ │ │ │ │ │ │ │ ├── ShellCommand.m\r\n│ │ │ │ │ │ │ │ │ └── ShellCommand.m\r\n│ │ │ │ │ │ ├── WifiList\r\n│ │ │ │ │ │ │ ├── WifiList\r\n│ │ │ │ │ │ │ │ ├── WifiList.m\r\n│ │ │ │ │ │ │ │ │ └── WifiList.m\r\n│ │ │ │ │ │ │ │ ├── utils\r\n│ │ │ │ │ │ │ │ │ ├── Utils.m\r\n│ │ │ │ │ │ │ │ │ │ └── Utils.m\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 8 of 30\n\n│ │ │ ├── znf_ios\r\n│ │ │ │ ├── mac\r\n│ │ │ │ │ ├── frame\r\n│ │ │ │ │ │ ├── macircloader\r\n│ │ │ │ │ │ │ ├── macircloader\r\n│ │ │ │ │ │ │ │ ├── Configuration.mm\r\n│ │ │ │ │ │ │ │ │ └── Configuration.mm\r\n│ │ │ │ │ │ │ │ ├── Downloader.mm\r\n│ │ │ │ │ │ │ │ │ └── Downloader.mm\r\n│ │ │ │ │ │ │ │ ├── FrameworkLoader.mm\r\n│ │ │ │ │ │ │ │ │ └── FrameworkLoader.mm\r\n│ │ │ │ │ │ │ │ ├── Utils.mm\r\n│ │ │ │ │ │ │ │ │ └── Utils.mm\r\n│ ├── mac\r\n│ │ ├── Downloads\r\n│ │ │ ├── jbreak\r\n│ │ │ │ ├── sock_port\r\n│ │ │ │ │ ├── iosurface.c\r\n│ │ │ │ │ │ └── iosurface.c\r\n│ │ │ │ ├── source\r\n│ │ │ │ │ ├── KernelUtilities.m\r\n│ │ │ │ │ │ └── KernelUtilities.m\r\n│ │ │ │ │ ├── diagnostics.m\r\n│ │ │ │ │ │ └── diagnostics.m\r\n│ │ │ │ │ ├── jailbreak.m\r\n│ │ │ │ │ │ └── jailbreak.m\r\n│ │ │ │ │ ├── kernel_alloc.c\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 9 of 30\n\n│ │ │ │ │ │ └── kernel_alloc.c\r\n│ │ │ │ │ ├── kernel_call.c\r\n│ │ │ │ │ │ └── kernel_call.c\r\n│ │ │ │ │ ├── kernel_slide.c\r\n│ │ │ │ │ │ └── kernel_slide.c\r\n│ │ │ │ │ ├── log.c\r\n│ │ │ │ │ │ └── log.c\r\n│ │ │ │ │ ├── platform.c\r\n│ │ │ │ │ │ └── platform.c\r\n│ │ │ │ │ ├── platform_match.c\r\n│ │ │ │ │ │ └── platform_match.c\r\n│ │ │ │ │ ├── prefs.m\r\n│ │ │ │ │ │ └── prefs.m\r\n│ │ │ │ │ ├── user_client.c\r\n│ │ │ │ │ │ └── user_client.c\r\n│ │ │ │ │ ├── utils.m\r\n│ │ │ │ │ │ └── utils.m\r\n│ │ │ │ │ ├── voucher_swap.c\r\n│ │ │ │ │ │ └── voucher_swap.c\r\n│ │ ├── framwork\r\n│ │ │ ├── CocoaLumberjack\r\n│ │ │ │ ├── Sources\r\n│ │ │ │ │ ├── CocoaLumberjack\r\n│ │ │ │ │ │ ├── DDFileLogger.m\r\n│ │ │ │ │ │ │ └── DDFileLogger.m\r\n│ │ │ │ │ │ ├── DDLog.m\r\n│ │ │ │ │ │ │ └── DDLog.m\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 10 of 30\n\n│ │ │ │ │ │ ├── DDTTYLogger.m\r\n│ │ │ │ │ │ │ └── DDTTYLogger.m\r\n│ │ ├── hs\r\n│ │ │ ├── dev\r\n│ │ │ │ ├── iosmm\r\n│ │ │ │ │ ├── light\r\n│ │ │ │ │ │ ├── ShellCommand\r\n│ │ │ │ │ │ │ ├── ShellCommand\r\n│ │ │ │ │ │ │ │ ├── ShellCommand.m\r\n│ │ │ │ │ │ │ │ │ └── ShellCommand.m\r\n│ │ │ │ │ │ ├── SoftInfo\r\n│ │ │ │ │ │ │ ├── SoftInfo\r\n│ │ │ │ │ │ │ │ ├── SoftInfo.m\r\n│ │ │ │ │ │ │ │ │ └── SoftInfo.m\r\n│ │ │ │ │ │ ├── WifiList\r\n│ │ │ │ │ │ │ ├── WifiList\r\n│ │ │ │ │ │ │ │ ├── WifiList.m\r\n│ │ │ │ │ │ │ │ │ └── WifiList.m\r\n│ │ │ │ │ │ ├── browser\r\n│ │ │ │ │ │ │ ├── browser\r\n│ │ │ │ │ │ │ │ ├── browser.m\r\n│ │ │ │ │ │ │ │ │ └── browser.m\r\n│ │ ├── work\r\n│ │ │ ├── F_Warehouse\r\n│ │ │ │ ├── ios\r\n│ │ │ │ │ ├── landevices\r\n│ │ │ │ │ │ ├── landevices\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 11 of 30\n\n│ │ │ │ │ │ │ ├── Libraries\r\n│ │ │ │ │ │ │ │ ├── External Libs\r\n│ │ │ │ │ │ │ │ │ ├── SimplePing\r\n│ │ │ │ │ │ │ │ │ │ ├── SimplePing.m\r\n│ │ │ │ │ │ │ │ │ │ │ └── SimplePing.m\r\n│ │ │ ├── baseinfo_plugin\r\n│ │ │ │ ├── plugin_utils\r\n│ │ │ │ │ ├── BasePlugin.mm\r\n│ │ │ │ │ │ └── BasePlugin.mm\r\n│ │ │ ├── irc_framework\r\n│ │ │ │ ├── KeyChain\r\n│ │ │ │ │ ├── KeyChain\r\n│ │ │ │ │ │ ├── KeyChain.m\r\n│ │ │ │ │ │ │ └── KeyChain.m\r\n│ │ │ │ ├── light\r\n│ │ │ │ │ ├── FileManage\r\n│ │ │ │ │ │ ├── FileManage\r\n│ │ │ │ │ │ │ ├── FileManage.m\r\n│ │ │ │ │ │ │ │ └── FileManage.m\r\n│ │ │ ├── light\r\n│ │ │ │ ├── light\r\n│ │ │ │ │ ├── fmdb\r\n│ │ │ │ │ │ ├── FMDatabase.m\r\n│ │ │ │ │ │ │ └── FMDatabase.m\r\n│ │ │ │ │ │ ├── FMDatabaseQueue.m\r\n│ │ │ │ │ │ │ └── FMDatabaseQueue.m\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 12 of 30\n\nStage 1: Dropper\r\nThe first stage of this malware is a dropper (SHA256: afd03337d1500d6af9bc447bd900df26786ea4a4) which\r\ndownloads and runs the core implant dylib. \r\nChecking PID File:\r\nThe macOS version of this malware makes use of a process identification number (PID) file located at\r\n/Users/Shared/irc.pid to verify that the implant isn’t already running. A PID file is just a file containing the PID\r\nof a running process—it’s used to verify a specific running process in order to reference it at a later time.\r\nConfiguration Extraction:\r\nThe configuration for this malware is appended to the end of the binary (in this case the last 0x1d0 bytes) and is\r\nencrypted with AES with a static key of 3e2717e8b3873b29. \r\n{\r\n\"cc_ip\" = \"103[.]27[.]109[.]217\",\r\n\"framework_param\" = \"s10|12|27\",\r\n\"install_path\" = \"/Users/Shared/update.app/Contents\",\r\n\"manifest_url\" = \"http[:]//103[.]27[.]109[.]217:52202/963852741/mac/macmanifest.json\",\r\n\"irc_url\" = \"http[:]//103[.]27[.]109[.]217:52202/963852741/mac/\",\r\n\"cc_port\":\"51200\",\r\n}\r\nDownload Stage 2 and Plugins:\r\nBefore downloading the plugins from the C2 server, the dropper requests macmanifest.json which contains lots\r\nof information about the plugins. The MD5s correspond to the encrypted versions.\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 13 of 30\n\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 14 of 30\n\nFigure 3: manifest.json file\r\nPayload Verification:\r\nAfter downloading the core dylib responsible, another call is made to the following address:\r\nhttp[:]//103[.]27[.]109[.]217:52202/963852741/mac/macversion.json\r\nWhich returns a JSON blob used to verify the integrity of the second stage. The other interesting aspect to note is\r\nthe date, which shows this being at least three years old. This timeframe lines up with the original discovery of the\r\nLightSpy malware in 2020.\r\n{\r\n\"date\":\"2021-06-30\",\r\n\"filename\":\"C40F0D27\",\r\n\"md5\":\"a381ea6193f3efd3b587c4a8e67706bf\"\r\n}\r\nPayload Decryption:\r\nThe plugins and core dylib are encrypted with a rolling-type XOR located in the _XorDecodeFile function.\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 15 of 30\n\nFigure 4: Screenshot of decryption function decompilation\r\nLuckily, reimplementing the routine is quite simple and allows for easy analysis of the downloaded plugins.\r\nxor_key = 0x5A\r\nxor_increment = 0xC\r\ndecoded_data = bytearray()\r\nfor byte in data:\r\ndecoded_byte = byte ^ xor_key\r\nxor_key = (xor_key + byte + xor_increment) \u0026 0xFF\r\nxor_increment = (xor_increment + 6) \u0026 0xFF\r\ndecoded_data.append(decoded_byte)\r\nStage 2: Implant\r\nThe second stage (SHA256: 0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c) is\r\nresponsible for loading, maintaining, and using the plugins. During this stage, the implant queries the device for\r\nsystem information using the DeviceInformation class. It collects a standard set of device information:\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 16 of 30\n\nFigure 5: Diff of DeviceInformation function, iOS on left and macOS on right\r\nWhen you diff the methods within that class, the macOS version doesn't collect information that would be found\r\non a phone such as the International Mobile Subscriber Identity (IMSI) or International Mobile Equipment\r\nIdentity (IMEI) numbers. Additionally, when analyzing functions like getScreenSizeInches, the iOS version will\r\nreturn dimensions of iOS devices, whereas the macOS version only returns a single string, 13.3 inches.\r\nFigure 6: macOS version of getScreenSizeInches\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 17 of 30\n\nFigure 7: iOS version of getScreenSizeInches\r\nCommunication with the C2 is still performed over WebSockets using the open source library SocketRocket with\r\nall the standard functionality you’d expect: sending heartbeats, receiving commands, updating command status,\r\netc.\r\nStage 3: Plugins\r\nThis particular implant downloads 10 additional payloads, each to accomplish a particular task. Since they’ve\r\nbeen covered pretty extensively, we noted below, in the IOCs, the different plugins (dylibs) that are associated\r\nwith the macOS variant.\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 18 of 30\n\niOS Implant[2] macOS Implant\r\nAudioRecorder (Plugin ID: 18000)\r\nBrowser (Plugin ID: 14000) BrowserHistory (Plugin ID: 14000)\r\nCameraShot (Plugin ID: 19000)\r\nFileManage (Plugin ID: 15000) FileManage (Plugin ID: 15000)\r\nKeyChain (Plugin ID: 31000) KeyChains (Plugin ID: 31000)\r\nLanDevices (Plugin ID: 33000)\r\nProcessAndApp (Plugin ID: 16000)\r\nScreenRecorder (Plugin ID: 34000)\r\nShellCommandaaa (Plugin ID: 20000) ShellCommand (Plugin ID: 20000)\r\nWifiList (Plugin ID: 17000) WifiList (Plugin ID: 17000)\r\nBasicInfo (Plugin ID: 11000)\r\nSoftInfoaaa (Plugin ID: 16000)\r\nScreenaaa (Plugin ID: 33000)\r\nLocationaaa  (Plugin ID: 13000)\r\niOS WeChat (Plugin ID: 12000)\r\niOS QQ (Plugin ID: 25000)\r\niOS Telegram (Plugin ID: 26000)\r\nConclusion\r\nEven though we’ve historically seen LightSpy target iOS, this variant very clearly is targeting macOS. As the\r\nmacOS landscape constantly evolves, and attacks that specifically target the Apple ecosystem become more\r\nprevalent, we wanted to include some detection opportunities here as well.\r\nIt's also worth noting that while this sample was uploaded to VirusTotal recently from India, this isn't a\r\nparticularly strong indicator of an active campaign, nor targeting within the region. It's a contributing factor, but\r\nwithout more concrete evidence or visibility into delivery mechanisms, it should be taken with a heavy grain of\r\nsalt. \r\nWhile we haven’t made any attribution claims in this post, most prior research has associated this malware to APT\r\n41. We're confident that this sample is indeed part of the LightSpy framework, and have no reason to disagree with\r\nthat attribution.\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 19 of 30\n\nApple, in an attempt to thwart threat actors, has introduced new features to their *OS such as Lockdown Mode,\r\nadditional TCC restrictions, and constantly evolving XProtect/XProtectRemediator modules designed to protect\r\nthe end user. It's also a great opportunity to remember to keep devices updated, regardless of platform.\r\nAppendix A\r\nWe created YARA rules that will detect the implant, loader, and the dylibs. We included a private rule that will\r\nassist in paring down detections to only Macho binaries. It's important to note that without that private rule, the\r\nrules will not run, as they all check for a Macho in their condition. The rules are available below and on GitHub.\r\nYARA Rules\r\nprivate rule Macho {\r\nmeta:\r\ndescription = \"private rule to match Mach-O binaries\"\r\ncondition:\r\nuint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe\r\nor uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca\r\n}\r\nrule MACOS_LIGHTSPY_LOADER_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy loader\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4\"\r\nhash2 = \"77e983dcde7752278c0fbfc29d92b237c3961de7517d7bcf0877ce83e9b58278\"\r\nstrings:\r\n$a0 = \"FrameworkLoader\"\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 20 of 30\n\n$a1 = \"PLATFORM_MACOS\"\r\n$a2 = { 44 6f 77 6e 6c 6f 61 64 65 72 }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_IMPLANT_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy implant\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c\"\r\nstrings:\r\n$a0 = { 52 65 61 6c 54 69 6d 65 43 6d 64 }\r\n$a1 = { 73 65 6c 65 63 74 20 2a 20 66 72 6f 6d 20 74 5f 63 6f 6e 66 69 67 }\r\n$a2 = { 2f 76 61 72 2f 63 6f 6e 74 61 69 6e 65 72 73 2f 42 75 6e 64 6c 65 2f 69 72 63 62 69 6e 2e 70 6c\r\n69 73 74 }\r\n$a3 = { 74 5f 63 6f 6d 6d 61 6e 64 5f 70 6c 61 6e }\r\n$a4 = { 63 6f 6d 2e 61 6c 61 6d 6f 66 69 72 65 2e }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_AUDIODYLIB_20240422 {\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 21 of 30\n\nmeta:\r\ndescription = \"Detects on the LightSpy libAudioRecorder dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144\"\r\nstrings:\r\n$path = \"/usr/local/lib/libAudioRecorder.dylib\"\r\n$a0 = { 61 72 63 6c 69 74 65 }\r\n$a1 = { 41 75 64 69 6f 52 65 63 6f 72 64 65 72 }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_BROWSERHISTORYDYLIB_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy libBrowserHistory dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d\"\r\nstrings:\r\n$path = \"/usr/local/lib/libBrowserHistory.dylib\"\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 22 of 30\n\n$a0 = \"/Library/Application Support/Google/Chrome/Default/History\"\r\n$a1 = \"/Library/Safari/History.db\"\r\n$a2 = { 42 72 6f 77 73 65 72 48 69 73 74 6f 72 79 }\r\n$a3 = { 61 72 63 6c 69 74 65 }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_CAMERADYLIB_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy libCameraShot dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a\"\r\nstrings:\r\n$path = \"/usr/local/lib/libCameraShot.dylib\"\r\n$a0 = { 61 72 63 6c 69 74 65 }\r\n$a1 = { 43 61 6d 65 72 61 53 68 6f 74 }\r\n$a2 = { 54 61 6b 65 50 69 63 74 75 72 65 2e (6d | 68) }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_FILEMANAGEDYLIB_20240422 {\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 23 of 30\n\nmeta:\r\ndescription = \"Detects on the LightSpy libFileManage dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5\"\r\nstrings:\r\n$path = \"/usr/local/lib/libFileManage.dylib\"\r\n$a0 = \"GetTelegramFileDir\"\r\n$a1 = { 46 69 6c 65 4d 61 6e 61 67 65 20 44 6f 77 6e 4c 6f 61 64 46 69 6c 65 }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_KEYCHAINDYLIB_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy libKeyChains dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883\"\r\nstrings:\r\n$path = \"/usr/local/lib/libKeyChains.dylib\"\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 24 of 30\n\n$a0 = { 6d 61 63 20 4b 65 79 20 43 68 61 69 6e 73 }\r\n$a1 = { 2f 61 70 69 2f 6b 65 79 63 68 61 69 6e }\r\n$a2 = { 6b 53 65 63 41 74 74 72 49 73 73 75 65 72 }\r\n$a3 = \"PLATFORM_MACOS\"\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_LANDYLIB_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy libLanDevices dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f\"\r\nstrings:\r\n$path = \"/usr/local/lib/libLanDevices.dylib\"\r\n$a0 = \"CoreWLAN.framework\"\r\n$a1 = { 2f 61 70 69 2f 6c 61 6e 5f 64 65 76 69 63 65 73 }\r\n$a2 = { 4d 61 63 46 69 6e 64 65 72 }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_PROCESSANDAPPDYLIB_20240422 {\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 25 of 30\n\nmeta:\r\ndescription = \"Detects on the LightSpy libProcessAndApp dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"d2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63\"\r\nstrings:\r\n$path = \"/usr/local/lib/libProcessAndApp.dylib\"\r\n$a0 = { 50 72 6f 67 72 65 73 73 4c 6f 67 2e 6d }\r\n$a1 = { 2f 61 70 69 2f (61 70 70 2f | 70 72 6f 63 65 73 73 2f) }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_SCREENRECORDERDYLIB_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy libScreenRecorder dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"7ed786a259982cce0fad8a704547c72690970145b9587d84ee6205b7c578b663\"\r\nstrings:\r\n$path = \"/usr/local/lib/libScreenRecorder.dylib\"\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 26 of 30\n\n$a0 = { 2f 78 38 36 5f 36 34 2f 53 63 72 65 65 6e 52 65 63 6f 72 64 65 72 2e 6f }\r\n$a1 = { 00 72 65 63 6f 72 64 20 73 63 72 65 65 6e }\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_SHELLDYLIB_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy libShellCommand dylib\"\r\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"ac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6\"\r\nstrings:\r\n$path = \"/usr/local/lib/libShellCommand.dylib\"\r\n$a0 = { 2f 61 70 69 2f 73 68 65 6c 6c 2f 72 65 73 75 6c 74 }\r\n$a1 = \"XXXExeCommand\"\r\n$a2 = \"GetDeviceID\"\r\ncondition:\r\nMacho and all of them\r\n}\r\nrule MACOS_LIGHTSPY_WIFIDYLIB_20240422 {\r\nmeta:\r\ndescription = \"Detects on the LightSpy libWifiList dylib\"\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 27 of 30\n\nauthor = \"Stuart Ashenbrenner, Alden Schmidt\"\r\ndate = \"2024-04-22\"\r\nmodified = \"2024-04-22\"\r\nreference = \"https://huntress.com/blog/lightspy-malware-variant-targeting-macos\"\r\nhash1 = \"fc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835\"\r\nstrings:\r\n$path = \"/usr/local/lib/libWifiList.dylib\"\r\n$a0 = { 2f 61 70 69 2f 77 69 66 69 5f (63 6f 6e 6e 65 63 74 69 6f 6e 2f | 6e 65 61 72 62 79 2f) }\r\n$a1 = { 57 50 41 [1] 2d 50 53 4b }\r\ncondition:\r\nMacho and all of them\r\n}\r\nSigma Rule\r\ntitle: LightSpy MacOS Malware\r\nid: 75d6d6fc-026f-11ef-aa62-f23ada0a3aed\r\nstatus: test\r\ndescription: Detects the creation of malicious files in the Shared directory.\r\nauthor: Stuart Ashenbrenner\r\nreferences:\r\n- https://huntress.com/blog/lightspy-malware-variant-targeting-macos\r\ndate: 2024/04/24\r\nlogsource:\r\ncategory: process_creation\r\nproduct: macos\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 28 of 30\n\ndetection:\r\nselection0:\r\nCommandLine|contains: '/Users/Shared/update.app'\r\ncondition: selection0\r\nfalsepositives:\r\n- None observed\r\nlevel: high\r\ntags:\r\n- attack.exfiltration\r\n- attack.t1041\r\nAppendix B\r\nIOCs\r\nFilename SHA1 Description\r\nloader afd03337d1500d6af9bc447bd900df26786ea4a4\r\nC40F0D27 fd49866245721acc6e7431ec61b066696b72a1e1 core implant\r\nsoundrecord 0563225dcc2767357748d9f1f6ac2db9825d3cf9 Plugin ID: 18000\r\nbrowser 476c726b58409a8e3e6cf8fb6bb7d46596917e24 Plugin ID: 14000\r\ncameramodule 33c39728a0393d4271f27cc1d85cf3c1610be333 Plugin ID: 19000\r\nFileManage 9a00f6ca0d9140316f9ae03f79c7511cec32849f Plugin ID: 15000\r\nkeychain 8f390335b571297a9eb605576745876666ee7f6a Plugin ID: 31000\r\nLanDevices 7aceb8db03b8b8c7899982b5befcaf455a86fe0b Plugin ID: 33000\r\nsoftlist c65817a55b003462d48189875f18fa8bdb57b402 Plugin ID: 16000\r\nScreenRecorder e9ba5d2dd449678628834cf5a11cffe042a4f6d6 Plugin ID: 34000\r\nShellCommand 30e33f1188ca4cffc997260c9929738594e7488c Plugin ID: 20000\r\nwifi 8e7e8d896ed61bea7a49271e2e6ffc982942e5c7 Plugin ID: 17000\r\nInfrastructure\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 29 of 30\n\nIP Description\r\n103[.]27[.]109[.]217 Primary C2\r\nReferences\r\n[1] https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india\r\n[2] https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf\r\n[3] https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\n[4] https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nSource: https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nhttps://www.huntress.com/blog/lightspy-malware-variant-targeting-macos\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" ], "report_names": [ "lightspy-malware-variant-targeting-macos" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747", "created_at": "2023-11-08T02:00:07.166789Z", "updated_at": "2026-04-10T02:00:03.432192Z", "deleted_at": null, "main_name": "TwoSail Junk", "aliases": [ "Operation Poisoned News" ], "source_name": "MISPGALAXY:TwoSail Junk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "741d58a1-0fc0-41a8-9681-106a06c07e61", "created_at": "2022-10-25T16:07:23.983046Z", "updated_at": "2026-04-10T02:00:04.822372Z", "deleted_at": null, "main_name": "Operation Poisoned News", "aliases": [ "Operation Poisoned News", "TwoSail Junk" ], "source_name": "ETDA:Operation Poisoned News", "tools": [ "dmsSpy", "lightSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446598, "ts_updated_at": 1775792081, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70c8c187f3ec6aef60cd3daebad232a3290fbfbf.pdf", "text": "https://archive.orkl.eu/70c8c187f3ec6aef60cd3daebad232a3290fbfbf.txt", "img": "https://archive.orkl.eu/70c8c187f3ec6aef60cd3daebad232a3290fbfbf.jpg" } }