{ "id": "c949d0cd-1188-4541-9063-3a558f3ebacd", "created_at": "2026-04-06T00:13:35.06226Z", "updated_at": "2026-04-10T03:21:12.58499Z", "deleted_at": null, "sha1_hash": "923776e82a8dbc0be742450bbf5eb6b769d3a9ad", "title": "LightSpy Malware Now Targets Facebook \u0026 Instagram Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2239615, "plain_text": "LightSpy Malware Now Targets Facebook \u0026 Instagram Data\r\nPublished: 2025-02-20 · Archived: 2026-04-05 13:59:17 UTC\r\nFirst publicly reported in 2020, LightSpy is a modular surveillance framework designed for data collection\r\nand exfiltration. Initially observed targeting mobile devices, further analysis confirmed its ability to compromise\r\nWindows, macOS, Linux, and routers. LightSpy has been deployed in targeted attacks using watering hole\r\ntechniques and exploit-based delivery, with its infrastructure frequently shifting to evade detection.\r\nFindings\r\nTargeting of Facebook and Instagram application database files for data extraction.\r\nLightSpy deployment date (2021-12-31) is linked to a possibly unreported core version.\r\nWindows-specific plugins designed for system surveillance and data collection.\r\nAdditional endpoints beyond the admin panel, including a likely testing route that briefly exposes\r\nauthenticated session behavior.\r\nTracking LightSpy Infrastructure (Pt. 2)\r\nIn June of last year, we published research on tracking LightSpy servers via their TLS certificates and\r\nintegrated a detection query into Hunt.io to automate identification. Since then, we have continued monitoring\r\nthis infrastructure, with Hunt.io currently detecting eight active IPs, some of which were previously detailed in\r\nBlackBerry and Volexity's research on the DeepData variant of LightSpy.\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 1 of 13\n\nFigure 1: Screenshot of current servers tagged as LightSpy in Hunt.\r\nIn October, we posted on X/Twitter about two LightSpy servers---43.248.8[.]108 and 149.104.18[.]251---briefly\r\nsharing SSH keys with another detected C2, 43.248.8[.]76, as well as an additional IP, 149.104.18[.]80.\r\nAmong these, 149.104.18[.]80 is the most recent IP to appear in our scans as LightSpy and its command list\r\nmodifications and infrastructure details will be the focus of this analysis.\r\nCommand List Expansion: What's Different?\r\nLightSpy has been previously documented targeting messaging applications such as Telegram, QQ, WeChat,\r\nWhatsApp, and Line across multiple operating systems. ThreatFabric's reporting highlighted the framework's\r\nability to exfiltrate payment data from WeChat, delete contacts, and clear messaging history, among other\r\nfunctions.\r\nThe servers analyzed in this research share similarities with prior malicious infrastructure but introduce notable\r\ndifferences in the command list. As previously observed, the cmd_list endpoint is at /ujmfanncy76211/front_api.\r\nAnother endpoint, command_list, also exists but requires authentication, preventing direct analysis.\r\nA comparison of command lists between the previously reported 45.125.34[.]126:49000 and the recently observed\r\n149.104.18[.]80:10000 reveals a significant expansion:\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 2 of 13\n\nPrevious reported C2: 55 supported commands.\r\nRecently observed C2: Over 100 commands spanning Android, iOS, Windows, macOS, routers, and\r\nLinux.\r\nFigure 2: Snippet of C2 command list at IP 45.125.34[.]126.\r\nThe new command list shifts focus from direct data collection to broader operational control, including\r\ntransmission management (\"传输控制\") and plugin version tracking (\"上传插件版本详细信息\"). These\r\nadditions suggest a more flexible and adaptable framework, allowing LightSpy operators to manage deployments\r\nmore efficiently across multiple platforms.\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 3 of 13\n\nFigure 3: Snippet of the more recent C2 command list at 149.104.18[.]80\r\nAmong the newly introduced Android commands are:\r\n获取Facebook数据库文件 (\"Get Facebook Database Files\")\r\nCommand ID: 83001\r\n获取Instagram数据库文件 (\"Get Instagram Database Files\")\r\nCommand ID: 83002\r\nThis is the first reference we are aware of Facebook and Instagram database targeting within LightSpy's\r\ncommand structure. Additionally, the list references \"Enigma,\" which may correspond to the secure messaging\r\nplatform of the same name.\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 4 of 13\n\nFigure 4: Command list showing targeting of Facebook and Instagram database files.\r\nThe shift from targeting messaging applications to Facebook and Instagram expands LightSpy's ability to collect\r\nprivate messages, contact lists, and account metadata from widely used social platforms. Extracting these database\r\nfiles could provide attackers with stored conversations, user connections, and potentially session-related data,\r\nincreasing surveillance capabilities and opportunities for further exploitation.\r\nLightSpy Core, iOS \u0026 Windows Plugins\r\nWhile we were unable to recover any first-stage implants for LightSpy, we examined the server for files of interest\r\nthat were accessible for download. The server 149.104.18[.]80 , hosted on Cloudie Limited in Hong Kong, was\r\nobserved with open ports 80, 443, 10000, 30000, and 40002.\r\nLightSpy's configurations frequently use /963852741 as a recurring endpoint pattern. A GET request to\r\nhttp[:]//149.104.18[.]80:30000/963852741/ios/version.json returned metadata on LightSpy's core,\r\nincluding its deployment date, file name, and MD5 hash. The date listed was 2020-12-21, reportedly associated\r\nwith version 7.7.1.\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 5 of 13\n\nFigure 5: JSON response when requesting /ios/version.json on port 30000.\r\nQuerying the same endpoint on port 40002 returned a deployment date of 2021-12-31, with the MD5 hash\r\n81d2bd4781e3753b508ff6d966dbf160. To our knowledge, this date/version has not been publicly reported.\r\nFigure 6: Screenshot of LightSpy core information dated 2021-12-31.\r\nThe hashes for both light.framework.zip files can be found at the end of this post.\r\niOS Plugins\r\nAlongside version.json, the server also hosts manifest.json, which contains version numbers, class paths, MD5\r\nhashes for integrity verification, file names, and download URLs. The response listed 17 different plugins, all\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 6 of 13\n\nmatching the versions and capabilities described in ThreatFabric's most recent analysis. Notably, the operator\r\nremoved plugins associated with destructive actions on the victim host.\r\nFigure 7: Snippet of iOS plugins targeting several apps and functionalities.\r\nThe URL field within the response referenced an additional IP, 103.238.227[.]138, serving plugins at the same\r\nport and path. This server, also hosted on Cloudie Limited, had ports 22 and 7000 open. A single domain,\r\nhk.cdn[.]cat resolves to this IP, though we found no indication that it is associated with LightSpy activity.\r\nWindows Plugins\r\nIn addition to the iOS plugin page, we identified a separate page for Windows plugins. No references to Linux,\r\nAndroid, or macOS plugins were found on this server, suggesting that iOS and Windows were the primary targets\r\nfor this campaign.\r\nThe Windows JSON file followed the same structure as its iOS counterpart. There are 15 plugins with DLL files\r\ntargeting x86 and x64 architectures. The observed version numbers were either 0.0.0.0 or 0.0.0.2, indicating the\r\nfiles were recent or the developer opted not to track version changes.\r\nBelow is a list of the Windows plugins, their version numbers, and the affected platforms:\r\nFilename Version Platform\r\nvxx64m.dll 0.0.0.2 x64\r\nvxx86m.dll 0.0.0.2 x86\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 7 of 13\n\nFilename Version Platform\r\nTerminalx86m.dll 0.0.0.2 x86\r\nTerminalx64m.dll 0.0.0.2 x64\r\nKeyLogLib32m.dll 0.0.0.2 x86\r\nKeyLogLib64m.dll 0.0.0.2 x64\r\naudiox64m 0.0.0.0 x64\r\naudiom.dll 0.0.0.0 x86\r\nCapx64m.dll 0.0.0.0 x64\r\nCapm.dll 0.0.0.0 x86\r\nsrvx64m.dll 0.0.0.0 x64\r\nsrvm.dll 0.0.0.0 x86\r\nusbx64m.dll 0.0.0.0 x64\r\nusbm.dll 0.0.0.0 x86\r\nvideo64m.dll 0.0.0.0 x64\r\nvideom.dll 0.0.0.0 x86\r\nTable 1: Windows plugin DLLs.\r\nThe DLL files share one of the following PDB paths, indicating the directory structure used during development:\r\nW:\\yk\\Bigfoot\\bin\\*.pdb\r\nW:\\yk\\Darwin\\Bin\\*.pdb\r\nThe Windows plugins indicate a focus on keylogging (\"KeyLogLib\"), audio recording (\"audio\"), video capture\r\n(\"video\"), and USB interaction (\"usb\"), typical for surveillanceware. \"Terminal*\" DLLs suggest potential remote\r\ncommand execution or user activity monitoring, while \"Cap\" plugins are related to screenshot or screen recording\r\ncapabilities.\r\nAdmin Panel/Infrastructure\r\nThe two other IPs associated with this activity, 43.248.8[.]108 and 149.104.18[.]251 , host admin panels on\r\nports 10000 or 10002. The login page, built on the Vue framework, is titled \"Console Login\" and is located at\r\n/ujmfanncy76211/login .\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 8 of 13\n\nFigure 8: Screenshot of login panel at 149.104.18[.]80.\r\nFurther investigation revealed multiple endpoints under /ujmfanncy76211 , each returning different behaviors:\r\nEndpoint Behavior\r\n/at\r\nCaptures requesting host information, including browser, GPU, and User-Agent.\r\n(Screenshot included below)\r\n/remote_csm Likely for remote access; it redirects back to /login.\r\n/963852oiu/login Displays a loading spinner and attempts to connect to 192.168.1[.]208\r\n/963852tgb/login Returns a token error.\r\n/963852iuy/login Redirects to /login.\r\n/third_login/:username May allow persistent access or automated login attempts.\r\nthd/login Responds with \"login with thd_tk is not permission\" (Screenshot included below).\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 9 of 13\n\nTable 2: Additional endpoints found under the admin panel.\r\nFigure 9: Result of querying /at which captures requestor information.\r\nFigure 10: Error message when requesting /thd/login.\r\nDue to a misconfiguration in the server, the /third_login/:username endpoint provides a brief glimpse into the\r\ninner workings of the framework as an authenticated user. When loaded, the below page is visible and hosted at\r\n/phone/phoneinfo , of which we were able to capture a screenshot.\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 10 of 13\n\nFigure 11: View of the phone info page in LightSpy when accessing the /third_login/:username endpoint.\r\nThe interface, named Console v3.5.0, serves as a remote management panel for compromised mobile devices.\r\nUpon accessing the page, a \"Login Successful\" message is displayed, granting the operator access to device\r\ncontrols. The top menu options include:\r\n控制台 → Console\r\n产生文件 → Generate Files\r\n日志 → Logs\r\nThe main content window prompts the user to \"Please select a device from the group,\" while the side panel\r\nprovides access to terminal logs and additional device data.\r\nThe presence of admin panel endpoints such as /third_login/:username and /remote_csm provides an\r\nopportunity to track LightSpy infrastructure through distinctive authentication requests and operator activity.\r\nAnalyzing server responses, panel access patterns, and command execution behavior can offer further insight into\r\nthe malware's operational framework.\r\nConclusion\r\nLightSpy's infrastructure reveals previously unreported components and administrative functionality, though it\r\nremains unclear whether these represent new developments or older versions not publicly documented. Command\r\nset modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and\r\nsurveillance approach across multiple platforms.\r\nThe exposure of admin panel authentication endpoints provides insight into how operators manage compromised\r\nsystems and suggests that aspects of LightSpy's infrastructure may be monitored or tracked through behavioral\r\nanalysis of authentication flows. Understanding how these endpoints function helps profile operational patterns\r\nand uncover related infrastructure. As LightSpy's operators adapt, we will do the same and continue refining our\r\ntracking methods to identify new C2 servers as they appear.\r\nTo mitigate risks, defenders/users should:\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 11 of 13\n\nRestrict app permissions to prevent unnecessary access to sensitive data. On Android, use Privacy\r\nDashboard to review and revoke permissions, and on iOS, enable App Privacy Reports to monitor\r\nbackground data access.\r\nEnable advanced device security features that limit the exploitability of devices. iOS users can turn on\r\nLockdown Mode, which restricts attack surfaces, while Android users can enable Enhanced Google Play\r\nProtect and exploit protection settings to detect and block malicious activity.\r\nExamine historical system logs and forensic artifacts to determine whether the 2021-12-31 core version or\r\nrelated LightSpy components were present in previously undetected infections.\r\nLightSpy Network Observables and Indicators of Compromise (IOCs)\r\nIP Address ASN Domains Location Last Seen\r\n149.104.18[.]80 Cloudie Limited N/A HK 16 February 2025\r\n149.104.18[.]251 Cloudie Limited N/A HK 16 February 2025\r\n43.248.8[.]108 XNNET LLC N/A HK 16 February 2025\r\n43.248.8[.]76 XNNET LLC N/A HK 17 February 2025\r\n103.238.227[.]138 Cloudie Limited hk.cdn[.]cat HK 17 December 2024\r\nLightSpy Host Observables and Indicators of Compromise (IOCs)\r\nFilename SHA-256\r\nlight.framework.zip (2021-\r\n12-31)\r\n890712c46e6629a59d1d82840256530f1cd3f1eda5c1e7f7f459ca786e120ba7\r\nlight.framework.zip (2020-\r\n12-21)\r\n9e4e2c92037f43441376685af7f30c6df602ed9706715073e696a6a178a4b5d7\r\nsmallmload.jar bd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99\r\nbbbb.jar 9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd\r\nvxx64m.dll 1b47cd2595d0f3468dbb609f5dcedfc90e2ee7c291d84bd6bd7d6a311a5f6bd\r\nvxx86m.dll f05b8387f808a598338ce2258014b2c259a4297a5593779e46029b3c5539ea4e\r\nTerminalx86m.dll 98a5275997acab23c26165980f221eaf2aab90b779af162c06e8823b4d19c7a3\r\nKeyLogLib32m.dll 72eff7f7f928f54db67d9b3aeee9a6c2b0af89edc0a71ce09715489ac7644a68\r\nKeyLogLib64m.dll 250e2aefc5a31019da9afeb22b1c704c6fd4db2da1ff6b5a0be4c63d23a32090\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 12 of 13\n\nFilename SHA-256\r\naudiox64m.dll 10c43f9dfaf94777f89248720555d17ac275b21ca726291989672b34f3991bc3\r\naudiom.dll 2e86456358046e347e05dce6ef6e30af92560901c145b95329fecaf6e64bd898\r\nCapx64m.dll 1d9293814fa3ce62fa67c1cbb8661660ffe1caa848142ba7f58dbbb60bc491ba\r\nCapm.dll 7147672b45832714c8b3d075665345d0860e9ebb672c4b5cbbe17243270ca41d\r\nsrvx64m.dll 7dbc26526fa32e1c91767d8b18abd3f4367f1b55b0f9ccf338fe5b9f74a36e48\r\nsrvm.dll e7b9e5e3bd6f72c39ef687ae59b2380815e827ea479ad142f278f295d706c5ec\r\nusbx64m.dll 29e090acf7aa1296fa5d22b0df92a830e7a58467f966dd0f78bd1560dc0bad45\r\nusbm.dll 74ce9f196c930c50811e4640283779ddd971e6a5ad6771c0577a80147c12bd35\r\nvideox64m.dll aee8ca6bcfff02ae0f931b76f48e39576477af289385cbcde27d3ac3e7fae35e\r\nvideom.dll 0258edc8c3efe8b3d8ccfce790c9192994e54a81dded1c0e116093d638506a01\r\nPDB Paths\r\nW:\\yk\\Bigfoot\\bin\\filename.pdb\r\nW:\\yk\\Darwin\\Bin\\filename.pdb\r\nSource: https://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nhttps://hunt.io/blog/lightspy-malware-targets-facebook-instagram\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://hunt.io/blog/lightspy-malware-targets-facebook-instagram" ], "report_names": [ "lightspy-malware-targets-facebook-instagram" ], "threat_actors": [], "ts_created_at": 1775434415, "ts_updated_at": 1775791272, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/923776e82a8dbc0be742450bbf5eb6b769d3a9ad.pdf", "text": "https://archive.orkl.eu/923776e82a8dbc0be742450bbf5eb6b769d3a9ad.txt", "img": "https://archive.orkl.eu/923776e82a8dbc0be742450bbf5eb6b769d3a9ad.jpg" } }