{
	"id": "a808cca3-35ce-4c88-b309-9df23cfe637c",
	"created_at": "2026-04-06T00:17:40.007862Z",
	"updated_at": "2026-04-10T03:21:22.385209Z",
	"deleted_at": null,
	"sha1_hash": "e672fc817b3e224c2f0f67e68439f5d245e504cd",
	"title": "LightSpy: Implant for macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6444981,
	"plain_text": "LightSpy: Implant for macOS\r\nPublished: 2024-10-01 · Archived: 2026-04-05 15:02:34 UTC\r\nIn October 2023 we posted our research about the notorious surveillance framework LightSpy2. In our research,\r\nwe proved with a high degree of confidence that both implants for Android and iOS came from the same\r\ndeveloper and shared the same network infrastructure, but also that they were just a small part of a larger\r\nframework.\r\nAt the moment of that publication, we knew that the framework was supposed to contain implants for at least four\r\nmore platforms: Windows, macOS, Linux, and so-called Router.\r\nWe believe that threat actors could gain access not only to mobile and desktop devices, but also to network\r\ndevices of the following brands: Netgear, Linksys, and Asus.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 1 of 29\n\nUnfortunately, we could not confirm that those platforms were supported since, at the time, we had not seen any\r\nevidence or telemetry. However, we kept tracking the threat actor group and on 21 January 2024, we got such\r\nevidence.\r\nSince we obtained a lot of materials to share, we will publish our research as a series of connected blogs. In this\r\nreport, we want to uncover all the LightSpy components related to macOS attacks. The next part will cover the\r\nrecent iOS version with 28 plugins. \r\nWe are grateful to Huntress researchers team for their report highlighting the same set of LightSpy samples\r\ntargeting macOS users around 2018-2020 years which was previously mistakenly reported as targeting iOS by\r\nother researchers. At the same time, we would like to extend that report with some valuable technical details we\r\nfound during our investigation.\r\nResearch summary\r\nThe Threat actor group used two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver\r\nimplants for macOS. Part of the CVE-2018-4404 exploit is likely borrowed from Metasploit framework.\r\nmacOS version 10 was targeted using those exploits.\r\nLightSpy for macOS supported 10 plugins to exfiltrate private information from affected desktop systems.\r\nThe administration panel named “DNS Traffic traction analysis system” contains traces potentially related\r\nto DNS poisoning attack vector.\r\nBackground\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 2 of 29\n\nStarting from January 11, 2024, several URLs were uploaded to VirusTotal, all containing the number \"96382741\"\r\nalready used as a path name for LightSpy Android and iOS file hosting.  The URLs pointed to HTML and\r\nJavaScript files that contained the same strings, and that were published on Github and were relevant to CVE-2018-4233 vulnerability, which was found in WebKit and targeted macOS version 10.13.3 and iOS version before\r\n11.4.\r\nWe downloaded all the files and analysed them. Our initial hypothesis was that we faced a new campaign that\r\ncould target the recent macOS version (which was not proved), but as the result of this investigation, we came to\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 3 of 29\n\nthe attack kill chain for macOS that we describe further.\r\nTechnical analysis\r\nInitial stage\r\nThe starting point threat actor group used the same approach as for iOS implant distribution: triggering WebKit\r\nvulnerability inside Safari to perform unprivileged arbitrary code execution. For macOS, attackers used CVE-2018-4233 exploit, whose source code was published on the 18th of August 2018.\r\nSince the vulnerability affected both iOS and macOS WebKits, both iOS and macOS implants might have been\r\ndelivered in the same way for some time. The difference was in lateral local privilege escalation, which is OS-specific.\r\nSince the RCE exploit was already documented quite well by the author and other researchers, we will not cover it\r\nin this report. However, we can say that the only objective of this exploit is to deliver the next stage payload,\r\nwhich is called 20004312341.png.\r\nIntermediate downloader\r\nThis \"20004312341.png\" is actually MachO x86_64 binary executable file. This file is extremely small and it\r\ncontains only one function \"_injection\".\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 4 of 29\n\nThis function will decrypt 0x400 bytes which were embedded into \"20004312341.png\" executable and will launch\r\nresulting script using launchd.\r\nThere are two noteworthy elements of the \"_injection\" function:\r\nthe function __spawn_via_launchd will be called with the following argument: net.saelo.hax revealing the\r\nnickname of the original author of the exploit.\r\nThe whole function looks like a paste of the code from Metasploit framework file.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 5 of 29\n\nThe decryption will be done using XOR, the decryption algorithm is identical to LightSpy Android plugin\r\ndecryption.\r\nLightSpy macOS decryption\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 6 of 29\n\nLightSpy Android decryption\r\nThe resulting script is a plain Bash script that will download three more files using curl utility (which has been\r\nbundled with the macOS for many years).\r\nThe files downloaded are as follows:\r\nssudo MachO x86_64 file. We have not downloaded that file from the control server however we believe\r\nthat it could be made by compiling the following file\r\nhttps://github.com/saelo/pwn2own2018/blob/master/stage4/ssudo.c. Ssudo could be a local privilege\r\nescalation exploit which will help LightSpy to gain system access rights during the script execution.\r\nddss MachO x86_64 file. This file is capable of encrypting/decrypting the file that was passed as argument.\r\nThe decryption is the same as we showed above - XOR.\r\nzip - ZIP archive that contained two more files update and update.plist.\r\nAs a result, the script will decrypt and unpack mac.zip, assign root access rights on both \"update\" and\r\n\"update.plist\" child files, and archive persistence on the system using launchecrtl. Starting from that moment\r\n\"update\" binary will start during each system boot-up.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 7 of 29\n\nUpdate (macircloader)\r\nThis file is designed to set the configuration, download, and start the LightSpy Core providing it with the\r\ncorresponding C2 information.\r\nThe cybercriminals called this component \"macircloader\", the same naming was used inside the iOS version of the\r\nLightSpy.\r\nLightSpy macOS\r\nLightSpy iOS\r\n\"Macircloader\" will read the configuration embedded into its body and decrypt it using AES cipher with the key\r\n3e2717e8b3873b29 (the same key was used for iOS version).\r\nThe configuration contains server IP addresses and ports that will be used for data exfiltration and command and\r\ncontrol. It also contains a server path for downloading the information about the Core. The configuration will be\r\nsaved into config.json file for further usage.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 8 of 29\n\n\"Macircloader\" will query the control server for two additional files:\r\nmacversion.json – this JSON file contains the information about the Core and consists of three parameters:\r\n1. date – represents the date when the Core was uploaded to the control server.\r\n2. filename – represents the file path by which \"macircloader\" can access the Core for downloading.\r\n3. md5 – represents MD5 hash sum for integrity check.\r\nmacmanifest.json – this JSON file contains the list of plugins for the Core with corresponding file paths\r\nand version numbers.\r\nBoth files together with the embedded encrypted configuration are part of the full configuration.\r\n\"Macircloader\" will download, decrypt, and run the Core and corresponding plugins using the full configuration.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 9 of 29\n\nThe Core (framework plugin ID 10000)\r\nDuring our investigation, we were able to download only one version of the Core by the following name\r\n\"C40F0D27\" (SHA256 ba4d77387c7b5761893ca2b1e75b2d05733d3fbfb1bb3a2bad81cfc8f641545b).\r\nThis \"C40F0D27\" file is an orchestrator of the whole surveillance framework.\r\nThe Core is based on at least two open-source frameworks:\r\nFMDB, a SQLite (https://sqlite.org/) Objective-C wrapper.\r\nSocketRocket (https://github.com/facebookincubator/SocketRocket) for WebSocket communication with\r\nC2.\r\nThe main goals of the Core are:\r\nGathering device fingerprint.\r\nEstablishing a full connection with the control server.\r\nRetrieving commands from the server, including commands to download/update plugins.\r\nThe developer has organised user-friendly logging for each executable function of the Core, for example during\r\nstartup the Core file sends the following message to the C2 – “开始启动取证程序” which could be translated\r\nusing Google Translate to “Start the evidence collection process”:\r\nSimilar to the Android version, LightSpy Core for macOS is extremely flexible in terms of configuration and\r\ncommand execution. Both of them use SQLite database to store control server data, commands plan, and so-called\r\ndormant control plan. The Core for macOS lacks only one database table that was used in an Android version\r\nt_app (Android specific table), all the other tables are the same.\r\nTable name Description\r\nt_config LightSpy configuration including control server address and port\r\nt_plugin Plugin-related information including the URL address for each plugin\r\nt_command_record List of shell commands to execute on the device\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 10 of 29\n\nt_transport_control\r\nNetwork configuration for each command (commands could be executed using Wi-Fi\r\nor Cellular network, or using both network types)\r\nt_dormant_control Timetable for each day, hour, and minute when LightSpy should operate or sleep\r\nt_command_plan\r\nConfiguration for C2 command for the Core and plugins, including execution\r\nfrequency\r\nAfter the Core starts up, it creates the necessary folders by the two following paths:\r\n/var/containers/Bundle/AppleAppLit/\r\n/Users/Shared/update.app/Contents\r\nAfter the Core started, it would send the list of permissions that the spyware achieved from the victim’s system;\r\nhowever, most of them were not actual for macOS environment. For example, “CanDrawOverlays” or\r\n“ProcessOutgoingCalls” permissions are related to Android implant. Use of such a list of permissions proves that\r\nthe threat actor group shared the same infrastructure for at least three types of implants: iOS, Android, and macOS\r\nversions.\r\nWhen all the communication with C2 has been established, LightSpy will send extensive fingerprint information\r\nabout the infected device:\r\nProperty name Description\r\nis_root Privileged or unprivileged access rights on the device.\r\ncpuUsage Current CPU usage, obtained by using host_processor_info function\r\ncpuArchitecture CPU architecture, value of hw.cputype system property\r\ncpuName CPU architecture name\r\ncpuMaxFreq CPU maximum frequency, value of hw.cpufrequency_max system property\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 11 of 29\n\ncpuCoresNum Number of CPU cores, value of hw.ncpu system property\r\nisCpu64 True if CPU has 64-bit architecture\r\nnet_type Network type\r\nmac Network adapter mac address\r\nsystem_version macOS version\r\nmemTotal Total RAM size\r\nmemAvailable Available memory\r\nsdTotal HDD size\r\nsdAvailable HDD available size\r\nromTotal HDD size\r\nromAvailable HDD available size\r\nmetrics Screen resolution\r\nsize Screen size in inches\r\nbrand Device manufacturer\r\napk_version The Core version\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 12 of 29\n\nip Network IP address\r\nusername Current username\r\ndevice Current device name\r\nSimilar to the Android version, the Core for macOS had so-called dormant network control capabilities that\r\ncontrol when the Core should wake up and exfiltrate the data or communicate with C2 and which network (Wi-Fi\r\nor cellular) the Core should use for each command.\r\nDuring the investigation, it turned out that the operator was not interested in any custom working timeframes for\r\nthe LightSpy macOS as the C2 returned zeroes for each weekday.\r\nAt the same time the control server provided the network configuration for each type of command:\r\nThe description of the command is in the following table:\r\nCommand\r\nID\r\nDescription Backend endpoint path\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 13 of 29\n\n10001 Send a heartbeat beacon once WebSocket\r\n10002 Send permissions list WebSocket\r\n10003 Update network configuration for each command WebSocket\r\n10004 Update command plan WebSocket\r\n10005 Update plugins WebSocket\r\n10007 Send current working plugins versions WebSocket\r\n10009 Used as ID for all plugins while sending their data WebSocket\r\n10013 Used as ID for while sending heartbeat signals WebSocket\r\n10015 Used while uploading the Core execution log file\r\nWebSocket and\r\n/api/phone_file/\r\n10016\r\nUsed while sending sleep status the Core execution log\r\nfile\r\nWebSocket\r\n10017 Send plugin status WebSocket\r\n10018 Send permissions status WebSocket\r\n10019 Force update plugins WebSocket\r\nThe LightSpy macOS plugins \r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 14 of 29\n\nThe layout of the macOS versions of the implant is the same as for Android and iOS: The Core serves as a\r\ncommand dispatcher and additional plugins extend the functionality. Both the Core and plugins could be updated\r\ndynamically by a command from C2.\r\nThe list and functionality of the plugins for the macOS version differs from other implants as the target platform\r\ndiffers. The notable moment is that the desktop version does not cover as many exfiltration functions as the mobile\r\nversion did.\r\nDuring our investigation, we downloaded and analyse the following list of plugins.\r\nName Version Brief description\r\nsoundrecord 2.3.1 Sound recording plugin\r\nbrowser 3.2.13 Safari and Chrome history exfiltration plugin\r\ncameramodule 1.5.1 Camera shooting plugin\r\nFileManage 1.3.2 File exfiltration plugin\r\nkeychain 3.1.1 Apple Key Chain contents exfiltration plugin\r\nLanDevices 4.2.2 Local network environment exfiltration plugin\r\nsoftlist 4.2.2 Current running processes list and installed software exfiltration plugin\r\nScreenRecorder 2.1.2 Screen recording exfiltration plugin\r\nShellCommand 1.3.2 Remote shell plugin\r\nwifi 1.3.2 Wi-Fi nearby list and Wi-Fi connection history exfiltration plugin\r\n\"soundrecord\" plugin (plugin ID 18000)\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 15 of 29\n\nThis plugin is capable of recording audio from the device microphone, if available. Operators can schedule a\r\nmicrophone recording providing the duration for how long the plugin should perform the recording. It is also\r\npossible to interrupt ongoing recording by the same command.\r\nCommand ID Description Backend endpoint path\r\n18002 Start/stop microphone recording /api/phone_file/\r\n\"browser\" plugin (plugin ID 14000)\r\nThis plugin is responsible for the browser history exfiltration. Two browsers supported are Safari and Chrome.\r\nThe plugin will parse the following files:\r\n/Library/Application Support/Google/Chrome/Default/History\r\n/Library/Safari/History.db\r\n The following parameters will be exfiltrated:\r\nTime of the visit\r\nURL\r\nWeb page title\r\nCommand ID Description Backend endpoint path\r\n14001 Start browser's data exfiltration /api/browser_history/\r\n\"cameramodule\" plugin (plugin ID 19000)\r\nThis plugin is responsible for taking pictures from available video devices such as the front camera of a MacBook.\r\nFor that purpose, the plugin will utilise the already deprecated macOS API class AVCaptureStillImageOutput. The\r\nresulting image will be saved as a JPEG file with the name which represents the date and time.\r\nCommand ID Description Backend endpoint path\r\n19001 Take one camera shot /api/phone_file/\r\n\"FileManage\" plugin (plugin ID 15000)\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 16 of 29\n\nThis plugin is responsible for file system data exfiltration and manipulation. Operators can copy, move, and delete\r\nfiles and directories. There is one particularly interesting function inside this plugin - \"GetAppDir\".\r\nWith the help of this function operator can exfiltrate files from the three messengers: WeChat (WeiXin), Telegram,\r\nand Tencent QQ.\r\nFor QQ messenger the plugin will search for QQ shared app folder by package name \"com.tencent.mqq\" and\r\nenumerate subfolders and files by the following path names:\r\nDocuments\r\nimage_original\r\nimage_thumbnail\r\nAudio\r\nShortVideo\r\nFileRecv\r\nFor Telegram messenger the plugin will search the shared app folder by package name\r\n\"group.ph.telegra.Telegraph\" and enumerate subfolders and files by the following path name \"postbox/media\".\r\nThis folder is used for caching the media files of the Telegram user.\r\nFor WeChat messenger, the plugin will search the shared app folder by package name \"com.tencent.xin\". Inside\r\nthat shared folder it will access the \"Documents\" subfolder and will enumerate files inside the following\r\nsubfolders:\r\nAudio\r\nImg\r\nVideo\r\nOpenData\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 17 of 29\n\nThe results of gathering data as well as command execution results will be JSON objects that will be sent using\r\nSendCommandOver function, which is exported from the Core. This function will send JSON data using\r\nWebSocket connection.\r\nCommand\r\nID\r\nDescription\r\nBackend endpoint\r\npath\r\n15001 Get directory tree for specified folder WebSocket\r\n15002 Upload to C2 specified file from victim /api/phone_file/\r\n15003 Download from C2 specified file to victim Any URL\r\n15004 Delete specified file WebSocket\r\n15005 Send the status of the command to C2 WebSocket\r\n15006 Send the status of the command to C2 WebSocket\r\n15007 Send the status of the command to C2 WebSocket\r\n15008 Create directory by specified path WebSocket\r\n15009 Rename the specified file WebSocket\r\n15010 Move file WebSocket\r\n15011 Copy file WebSocket\r\n15012\r\nGet directory tree for the specified messenger app (“qq”,\r\n“wechat”, “telegram”)\r\nWebSocket\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 18 of 29\n\n\"Keychain\" plugin (plugin ID 31000)\r\nThis plugin is responsible for the exfiltration of passwords, certificates, and keys from Keychain. In this way,\r\nattackers can gain access to Wi-Fi passwords as they are also stored inside the Keychain.\r\nCommand ID Description Backend endpoint path\r\n31001 Extract keychain data /api/keychain/\r\n\"LanDevices\" (plugin ID 33000)\r\nThis plugin is responsible for basic network scanning to find all the devices within the same network to which the\r\nvictim is connected. The plugin is based on SimplePing framework which is used for pinging the host and\r\nchecking the availability of the corresponding device.\r\nThe plugin will calculate the list of potentially interesting devices using the IP address of the currently connected\r\nnetwork and subnet mask. It will ping each one of them and will try to recognise the following list of parameters:\r\nDevice brand\r\nDevice hostname\r\nDevice IP address\r\nDevice mac address\r\nDevice subnet mask\r\nCommand ID Description Backend endpoint path\r\n33001 Exfiltrate nearby devices network information /api/lan_devices/\r\n\"Softlist\" plugin (plugin ID 16000)\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 19 of 29\n\nThis plugin is responsible for exfiltration of two lists:\r\ninstalled applications list;\r\ncurrent running processes list.\r\nTo enumerate the installed applications the plugin will list the Applications folder and for each subfolder will try\r\nto open Info.plist which contains the application details. The following parameters will be extracted for each plist\r\nfile:\r\nCFBundleName – human readable name of the install application\r\nCFBundleIdentifier – application package name\r\nCFBundleShortVersionString – application version\r\nTo enumerate the current running process the plugin will call \"runningApplications\" method from\r\n\"sharedWorkspace\" class. The following list of parameters will be exfiltrated:\r\nProcess identifier,\r\nProcess path,\r\nProcess data path,\r\nBundle name.\r\nCommand ID Description Backend endpoint path\r\n16001 Exfiltrate the list of installed applications /api/app/\r\n16002 Exfiltrate the list of currently running processes /api/process/\r\n\"ScreenRecorder\" (plugin ID 34000)\r\nThis plugin is responsible for capturing video from the main display of the device.\r\nCommand ID Description Backend endpoint path\r\n34001 Start/Stop screen capture /api/phone_file/\r\n\"ShellCommand\" (plugin ID 20000)\r\nThis plugin is responsible for providing the remote shell to the operator.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 20 of 29\n\n\"Wifi\" plugin (plugin ID 17000)\r\nThis plugin is responsible for WiFi network data exfiltration. \r\nThis plugin is based on Apple native API from the following CWWiFiClient class and it is responsible for Wi-Fi\r\nnetwork information exfiltration.\r\nThe plugin itself will not perform any Wi-Fi scanning, instead it will use cached scan results from the system.\r\nThe following Wi-Fi network attributes will exfiltrated:\r\nSSID,\r\nSupported security type,\r\nEncryption type,\r\nRSSI value.\r\nTogether with that, the plugin will parse the following file for the network-related information:\r\n/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist\r\nCommand ID Description Backend endpoint path\r\n17001 Get the listing of Wi-Fi networks that are nearby. /api/wifi_nearby/\r\n17002 Get the Wi-Fi networks connection history /api/wifi_connection/\r\nInfrastructure\r\nDuring our investigation, we checked all already known hosts that were related to LightSpy and we could not\r\nconfirm any host other than 103.27.109[.]217 related to the macOS campaign. However, we found almost the\r\nsame panel on a few other hosts that were related to LightSpy.\r\nOn March 21, 2024, there was the first occurrence of the panel content on VirusTotal, it was a background of the\r\nweb page.\r\nA day later, on March 22, 2024, there was the first occurrence of the panel URL on VirusTotal.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 21 of 29\n\nThe corresponding IP address was related to Android LightSpy and was disclosed by Lookout but the structure of\r\nthe URL path was unknown.\r\nFrom that moment we started to analyse the panel itself. From the first glance, the panel appeared as it can be seen\r\nbelow:\r\nHowever, the code serving that panel contains a critical mistake: it checks for authorisation only after all the\r\nscripts are loaded by the browser. This means that when we load the page, for less than a second, we can see it as\r\nauthenticated users would. Here’s the picture we saw (each button has been translated using Google Translate,\r\nwith red text for better understanding, acknowledging potential inaccuracies).\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 22 of 29\n\nWe believe that this web page serves as a high-level panel to track the entire campaign, containing generic\r\ninformation about attacked devices. This information is suitable for victim profile analysis but does not include\r\nthe precise data that LightSpy implants can exfiltrate.\r\nHowever, in the top right corner of the window, there was a button labeled “Remote control platform,” pointing to\r\nanother panel on the same control server. Due to catastrophic misconfiguration, we were able to access this panel,\r\nand anyone could do the same by accessing the top-level panel.\r\nThis panel contained comprehensive information about victims, fully correlating with all the exfiltration data\r\nprovided in the technical analysis section of this report.\r\nWe can see that there were three different groups of victims: \"202206\", \"支持设备(supporting device)\" and\r\n\"default\". The last group contained those victims who provided invalid configurations during communication with\r\nC2, with high confidence we can say that those devices are security researchers' devices.\r\nThe other two groups contained a list of macOS and iOS devices and all of them were old: macOS version 10.13.4\r\nand iOS version 12.1.2 refers to 2017-2020 years,\r\nThe victim window consists of the seven sections that correlate with the LightSpy plugins layout, for instance,\r\nthere is a remote shell section, the same function we’ve seen inside the plugin “ShellCommand” or App/Proccess\r\nsection represents the data that came from “Softlist” plugin.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 23 of 29\n\nVictimology\r\nAnalysing the list of victims inside the panel we concluded that some of them could be attackers themselves. For\r\nexample, one of the devices had a browser history full of URLs to the HTML file with RCE exploit of the initial\r\ninfection vector.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 24 of 29\n\nThe same footprint we noticed for the iOS devices; the messenger’s history log contained only test messages.\r\nWe extracted all the victim’s information from the panel and tried to figure out is there was any real victim: not a\r\nresearcher device and not an attacker test machine.\r\nAs far as we can see, 9 out of 20 devices were connected to a Wi-Fi network with the SSID \"Haso_618\".\r\nSince five other devices were in the same location and online during the same timeframe (October 2022), it is\r\nlikely they are also test devices.\r\nThree macOS devices from the United Kingdom and USA, and two Android devices were probably researchers'\r\ndevices as they were recently online. This campaign likely operated around 2022.\r\nThe remaining device, connected to \"NVPN_09_9B_F4_5G,\" accessed the web page with RCE exploits multiple\r\ntimes, suggesting it is not a victim.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 25 of 29\n\nSummarising these assumptions, we conclude that this particular panel page probably does not contain any real\r\nvictims but provides some information about the actors behind it.\r\nConclusion\r\nWe are certain that LightSpy for macOS echoes a campaign conducted a few years ago. Nonetheless, investigating\r\nthis sophisticated spyware toolset was still intriguing, offering insights into the goals of the threat actor and the\r\nspecific information they sought.\r\nIt became evident that regardless of the targeted platform, the threat actor group focused on intercepting victim\r\ncommunications, such as messenger conversations and voice recordings. For macOS, a specialised plugin was\r\ndesigned for network discovery, aiming to identify devices in proximity to the victim.\r\nDespite our findings, some aspects of the LightSpy puzzle remain elusive. There is no evidence confirming the\r\nexistence of implants for Linux and routers, nor is there information on how they might be delivered. However,\r\ntheir potential functionality is known based on panel analysis.\r\nWe will continue monitoring LightSpy and endeavor to identify related samples\r\nAppendix\r\nIndicators of compromise\r\nControl servers:\r\n103.27.109[.]217 \r\nFile SHA256 hashes:\r\nStage 0 Exploit\r\nindex.html\r\n8a4f8a755ca123e9c3aa77b525f59ce99f1f2e288afc2e29afb6d15573776a16\r\n4cbc70b1c7d4ccc593fad895299e88a6734c8f4687f37f43850996f7fa076df9\r\n4e7c9bd8c623d7de9dc225fbdc9305f32c961f473acb99256012ccf6d45ba494\r\nInt64.js\r\n2c2471150aacc8443aa92a6063a848e8bb9dbcc8e369fb378c003d98bceaa728\r\n9b58e3a82b14e329dab6108a5f25d20edd50cac95072dac420c94718ed8c1764\r\n47719e45d14c9700928979cdb33fe0b58677d2566bc0848de7858c2f05566d76\r\noffsets.js\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 26 of 29\n\n1d499c401d8854b6331d3b531fc57418dd2b132861e0448ae198dcbea41484ab\r\n7ba186858a726b57c1d3719d157dc01d5a1cf4cb6644dfa5bfd02c67814331d5\r\ndb3b7989f6c410a43c839a933343a66f706c6ad65c2031b628b059a8df774038\r\nutils.js\r\nff4332365b1628f88bc84bec102b534e5a6e9a32b2fc61dd43c951a338f976d8\r\n85a2dd209cacb9628d160bf76b09a87d8f1bd39093cb365154e7d35810da7ca0\r\nStage1 Dropper, downloader\r\n20004312341.png\r\n65dee715b928f07da356e8bce7a762b0ab4c140ebea63e4bd66c2eb85e0fa2dc\r\n87cd75344a6826feac6d21b053f6816700b4b349ffd397addb4e244633edcc42\r\n848e4e30987d526413d80c450652d4cef55d931c932edd722c1055b8b1450502\r\nBash script unxored\r\n768f1cb8b8ac45c6e854f0320f833367cf7aa69279fd82aa1a6c3bc3d765ce7e\r\nDdss – decryption binary\r\n048ab442a2617f37c3145c0c2bdda057baa09e017a29e649f17d43c95a34e69f\r\nStage 2 Updater, Orchestrator\r\nmac.zip\r\n97607d1b12d7234a42a62cdff4d6a7b2b5b93bf38d827b9e4448b0d7bd5da464\r\neb3f5decdbe71fe95cb8cbda5749ec6c43232069f8ce812d454d0c9432045b38\r\nfcd864b79d6108c7e6615a5e1202669098ea34ab431624f6b0ab762229937552\r\nmac.zip XOR-decoded\r\ncf709c7b4c68e6d81f8239b4275dac8eb0b026f05934b81867e645dd389d65fb\r\nf3bdc8275d88927a12d10348c81ab5d33c61164ef1ff00eba17edf49ddec5ada\r\nc984bbdcdff4d84fb5e07924cc94ad44da153865d444652e8676dc9751e121f7\r\nupdate-file\r\n4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 27 of 29\n\n24cf61f172c94943079970af57f25ae50fee5f54797be045ef6eeeaefeaf4582\r\nc6bad1ef115cacd81fa00a235f7ffd34c187e5b05bf9bcf500f7639b632f1480\r\nupdate.plist\r\n23d0b9ae73145106cffe56719526801e024092cd6d25b9628ae3d9995b0b5395\r\nThe Core (C40F0D27 file)\r\nba4d77387c7b5761893ca2b1e75b2d05733d3fbfb1bb3a2bad81cfc8f641545b\r\nC40F0D27 XOR-decoded\r\n0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c\r\nStage 3 Plugins\r\nWifiList\r\n4607dfdd78fcb8d6bf94ecc34cf125f20e4ea94ac9fce002d9e7cd7956a707dd\r\nLanDevices\r\n9aae47b5c3673e7dd3f542913f91abbea3cc93f01275583169e33f6e1e443260\r\nCameraShot\r\n75a571d33a7c11fb5515a08a46fcb67dabbcb3fd4cbf69894ab82e394e68679c\r\nFileManage\r\nadf5a55988a457a8de234b652eae8fd2a0f0c2187cb9ede28ee5e22aba252d70  \r\nAudioRecorder\r\n21b099c7eadd1d6895e025f670fc660769e617794400f35c52b4726fc546cb68  \r\nKeyChains\r\ne3735950775fbdae7bbcc4a49c09372f605ae021fff8ff32340c794af14a7e47  \r\nScreenRecorder\r\n7ed786a259982cce0fad8a704547c72690970145b9587d84ee6205b7c578b663  \r\nProcessAndApp\r\nfbd3f8c8f4b2f4a0c73855e35f96797ef3c5aa6fa11d89081cdacd942e18c933  \r\nBrowserHistory\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 28 of 29\n\n22b0f53bb7ff5047b2d2f77f9cc4f1a503bde2fa2b279fa999e48fb656c42782\r\nShellCommand\r\n8d729aa29db506f1abe4ed8ab7406e0017dc3f5fc1b3c7c8e7b59af41f07c650\r\nXOR-decoded plugins\r\nWifiList\r\nfc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835  \r\nLanDevices\r\n4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f\r\nCameraShot\r\n18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a\r\nFileManage\r\n5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5\r\nAudioRecorder\r\n0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144\r\nKeyChains\r\n65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883\r\nScreenRecorder\r\n2b4fbd5aa06f70d84091d2f7cca4bd582237f1a1084835c3c031a718b6e283f9  \r\nProcessAndApp\r\nd2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63\r\nBrowserHistory\r\n3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d\r\nShellCommand\r\nac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6\r\nSource: https://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-macos\r\nPage 29 of 29",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.threatfabric.com/blogs/lightspy-implant-for-macos"
	],
	"report_names": [
		"lightspy-implant-for-macos"
	],
	"threat_actors": [],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e672fc817b3e224c2f0f67e68439f5d245e504cd.pdf",
		"text": "https://archive.orkl.eu/e672fc817b3e224c2f0f67e68439f5d245e504cd.txt",
		"img": "https://archive.orkl.eu/e672fc817b3e224c2f0f67e68439f5d245e504cd.jpg"
	}
}