{
	"id": "57607ef7-95be-4ca2-ac0a-79dae9b4ddb5",
	"created_at": "2026-04-06T00:19:26.824605Z",
	"updated_at": "2026-04-10T03:32:21.232598Z",
	"deleted_at": null,
	"sha1_hash": "ed430f9e60f893494e45ccc341b5e8f9e8b71aa8",
	"title": "Tracking LightSpy: Certificates as Windows into Adversary Behavior",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4122011,
	"plain_text": "Tracking LightSpy: Certificates as Windows into Adversary\r\nBehavior\r\nPublished: 2024-06-06 · Archived: 2026-04-05 16:27:49 UTC\r\nTABLE OF CONTENTS\r\nIntroductionA Quick RefresherOverview of LightSpy’s InfrastructureFollowing the CertificatesRecently Seen\r\nDomains and CertificatesConclusionIndicators\r\nIntroduction\r\nIn this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS\r\ncertificates that have been instrumental in identifying its servers.\r\nWe’ll examine specific characteristics of the LightSpy network, such as commonly used ports, preferred hosting\r\nproviders, registration details, and both existing and newly discovered certificates from our scans. This article\r\naims to equip defenders with the information necessary to understand and anticipate the behaviors of the actors\r\nbehind this operation.\r\nA Quick Refresher\r\nLightSpy is a sophisticated surveillance framework targeting iOS, Android, macOS, and Windows devices,\r\nfocusing on the Asia-Pacific region. This framework is designed to exfiltrate a wide range of sensitive data from\r\nmobile devices, including files, screenshots, detailed location information (such as building floor numbers), voice\r\nrecordings from WeChat calls, and payment information from WeChat Pay.\r\nAdditionally, LightSpy captures data from popular messaging apps like Telegram and QQ Messenger, highlighting\r\nits extensive capabilities and significant threat potential.\r\nThe following recent blog posts provide a more technical analysis of malware infiltrating networks.\r\nHuntress – “LightSpy Malware Variant Targeting macOS”\r\nThreatFabric – “LightSpy: Implant for macOS”\r\nLookout – “Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41”\r\nOverview of LightSpy’s Infrastructure\r\nAccording to our scans, most of LightSpy's infrastructure is located in China and Hong Kong, with a single server\r\nidentified in Japan. Topway Global Limited and ChinaNet comprise most of the servers hosting the certificates\r\nassociated with the framework. Based on our visibility, figure 1 displays a graph highlighting the most popular\r\nhosting companies.\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 1 of 10\n\nWe didn’t forget about AndroidControl, also known as WyrmSpy, LightSpy’s reported successor. In the next\r\nsection, we will cover the certificates behind both LightSpy and AndroidControl in detail.\r\nFigure 1: Common Hosting Companies in Hunt Platform\r\nLightSpy uses a range of high ports for certificates, typically in the 50k+ range. In contrast, AndroidControl\r\ncommonly uses port 443 for its control panel and port 3389 for Remote Desktop Protocol (RDP). Both\r\nframeworks leverage Nginx servers for their infrastructure, with LightSpy often seen using Nginx version 1.14.0\r\nand AndroidControl using version 1.10.3.\r\nHunt scans found that ports 51200 and 53501 are the most popular ports for LightSpy.\r\nThe top 10 ports are depicted below.\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 2 of 10\n\nFigure 2: Most Popular Ports in Hunt\r\nDetecting WyrmSpy was previously as straightforward as searching for web pages that display the HTML title\r\n(“AndroidControl v1.0.4”). However, this detection method is not foolproof and is easily changed by the actor(s)\r\nadministering the server, rendering the query useless.\r\nLike LightSpy, WyrmSpy uses a unique TLS certificate for its control panel. This procedure of using distinct\r\ncertificates leads to a small number of IP addresses sharing it. While the title and certificate are easily changed,\r\nfocusing on the latter allows researchers to identify related infrastructure, even if the page is altered or the actor\r\nhas not yet started using the panel.\r\nAt the very least, we can get an idea of the certificate authority (if applicable) preferred by the attacker and the\r\nnaming conventions used.\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 3 of 10\n\nFigure 3: Screenshot of AndroidControl (WrymSpy) HTML Title Panel\r\nHunt is currently tracking 12 servers presenting the certificate we will discuss below.\r\nTake a look for yourself using the Active C2 Servers feature here.\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 4 of 10\n\nFigure 4: Just a Few of the LightSpy IP Addresses Available for Analysis in Hunt\r\nFollowing the Certificates\r\nWe referenced the WyrmSpy certificate multiple times without displaying it. The full self-signed certificate is as\r\nfollows:\r\nC=US\r\nST=State of California\r\nO=hxwa\r\nOU=John\r\nCN=X\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 5 of 10\n\nemailAddress=X3057@gmail.com\r\nIf you've been following our blogs, you may recall our post on a cluster of ShadowPad infrastructure that used\r\ncertificates spoofing the American technology company Dell. In that post, we highlighted several servers with\r\nRDP certificates following the \"iZ[13 alphanumeric characters]” pattern. Notably, 47.241.218_217, identified as\r\nWyrmSpy infrastructure, employs a similar naming convention, as illustrated in Figure 5.\r\nShadowPad blog post:\r\nhttps://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates\r\nFigure 5: Certificates used on WrymSpy Server\r\nUnfortunately, the trail ran cold on the above RDP certificate as we could not locate any additional servers using\r\nthe above naming convention. However, we can pivot on the TLS certificate, which leads us to 5 additional\r\nservers worthy of a second look.\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 6 of 10\n\nFigure 6: Pivot on AndroidControl TLS Certificate (Try it)\r\nThe certificates associated with LightSpy are reminiscent of the AndroidControl (WyrmSpy) names, with some\r\nnotable differences:\r\nLightSpy Certificate:\r\nC=AU\r\nST=SUN\r\nO=Kylin\r\nOU=base\r\nCN=admin1\r\nemailAddress=admin1@admin.com\r\nWhile both certificates follow a similar structure, the LightSpy certificate uses an Australian country code\r\n(C=AU) and generic organizational details. In contrast, the WyrmSpy certificate uses a US country code (C=US)\r\nand more specific, albeit fabricated, organizational information.\r\nDespite these differences, the commonality in their structured format suggests a shared methodology or toolkit\r\nused by the threat actors behind both frameworks. This similarity can be a crucial indicator for defenders\r\ncorrelating and tracking related infrastructure more effectively.\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 7 of 10\n\nFigure 7: Example of a Short-lived LightSpy Certificate\r\nRecently Seen Domains and Certificates\r\nOnce we establish a reliable query that consistently identifies malicious infrastructure, it's crucial not to rely solely\r\non that detection method. Adversaries will likely make subtle server changes to evade detection or even transfer\r\nthe IP address to another threat actor.\r\nTo counter this, we must periodically probe and reassess the identified servers (within reason), tracking changes\r\nover time. By doing so, we can proactively respond to these modifications and potentially differentiate between\r\ndifferent threat actors using the same IP addresses or networks.\r\n*It is crucial to be as discreet as possible when interacting directly with possible malicious infrastructure.\r\nProbing can tip off actors to your presence and expose your network to various attacks.\r\nWhile investigating these various IPs, we identified a server, 103.43.17_99, that had recently started hosting the\r\nLightSpy certificate on port 54600. Additionally, this server hosts another certificate on port 443 issued by\r\nZeroSSL for the domain yycclouds[.]com, which also resolves to this IP address.\r\nFigure 8: LightSpy Certificate Overlaps with ZeroSSL Certificate\r\nThe above domain is registered through GoDaddy and uses domaincontrol.com nameservers. As of the time of\r\nwriting, there are no subdomains or web pages associated with the yycclouds domain.\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 8 of 10\n\nConclusion\r\nIn this post, we explored the intricate infrastructure of the LightSpy spyware framework and its successor,\r\nWyrmSpy. We highlighted the significance of focusing on TLS certificates and patterns in hosting providers,\r\nparticularly in the Asia-Pacific region. Understanding these elements, along with critical infrastructure\r\ncomponents such as ports, server software, hosting, domain registration, and certificates, allows us to better track\r\nand anticipate the evolving tactics of these threat actors.\r\nSign up for an account with Hunt to stay informed on the latest trends in malicious infrastructure and enhance\r\nyour defensive capabilities.\r\nIndicators\r\nIP Address Notes\r\n103.27.109_217 LightSpy C2\r\n43.248.136_110 LightSpy C2\r\n103.27.109_28 LightSpy C2\r\n38.55.97_178 LightSpy C2\r\n103.43.17_99 LightSpy C2\r\n43.248.136_104 LightSpy C2\r\n45.125.34_126 LightSpy C2\r\n45.155.220_194 LightSpy C2\r\n154.91.196_185 LightSpy C2\r\n222.219.183_84 LightSpy C2\r\n47.241.218_217 WrymSpy C2\r\n8.219.55.216 Shared certificate w/ WrymSpy\r\n47.242.108_245 Shared certificate w/ WrymSpy\r\n47.242.56_232 Shared certificate w/ WrymSpy\r\n161.117.253_231 Shared certificate w/ WrymSpy\r\nCertificate SHA-256\r\nLightSpy efbfbd517e0727efbfbd48efbfbdd3b8efbfbdc69938efbfbd09efbfbd7cefbfbd3aefbfbd42417c\r\nWrymSpy efbfbd2c41efbfbd012e034a170964efbfbdd68fefbfbd2c0eefbfbd424aefbf bd5e13efbfbd6824\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 9 of 10\n\nSource: https://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nhttps://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior"
	],
	"report_names": [
		"tracking-lightspy-certificates-as-windows-into-adversary-behavior"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed430f9e60f893494e45ccc341b5e8f9e8b71aa8.pdf",
		"text": "https://archive.orkl.eu/ed430f9e60f893494e45ccc341b5e8f9e8b71aa8.txt",
		"img": "https://archive.orkl.eu/ed430f9e60f893494e45ccc341b5e8f9e8b71aa8.jpg"
	}
}