{
	"id": "b55faaeb-c81e-45a6-b62b-a1b2bf6cb97f",
	"created_at": "2026-04-06T00:19:53.810854Z",
	"updated_at": "2026-04-10T03:22:06.860474Z",
	"deleted_at": null,
	"sha1_hash": "f068f1cba4a7f79f5f27f000513fcf05c4abf456",
	"title": "LightSpy: Implant for iOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1667569,
	"plain_text": "LightSpy: Implant for iOS\r\nPublished: 2024-10-01 · Archived: 2026-04-05 19:06:20 UTC\r\nIn May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we\r\ndiscovered that the threat actor was using the same server for both macOS and iOS campaigns.\r\nThanks to this, we were also able to obtain the most recent samples of LightSpy for iOS. After a brief analysis of\r\nthe obtained files, we concluded that this version slightly differs from the version discussed by researchers in\r\n2020.\r\nThe previously documented version of LightSpy's Core for iOS was identified as \"6.0.0.\" However, the version we\r\nobtained from this server was \"7.9.0.\" The updates extended beyond the Core itself—the plugin set increased\r\nsignificantly from 12 to 28 plugins. Notably, seven of these plugins have destructive capabilities that can interfere\r\nwith the device’s boot process.\r\nIn this report, we will examine the latest version of LightSpy for iOS, along with its associated plugins.\r\nResearch summary\r\nThe threat actor expanded support for the iOS platform, targeting up to version 13.3. They utilized the publicly\r\navailable Safari exploit CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation.\r\nThe actor ran multiple campaigns with varying sets of plugins. One particular campaign included plugins that\r\ncould disrupt the operating system’s stability, with capabilities to freeze the device or even prevent it from booting\r\nup.\r\nBackground\r\nDuring our analysis, we discovered that the threat actor continued to rely on publicly available exploits and\r\njailbreak kits to gain access to devices and escalate privileges. We believe this threat actor is also deeply involved\r\nwith jailbreak code integration within the spyware's structure, which supports its modular architecture.\r\nAdditionally, we found that some core binary files of the spyware were signed with the same certificate used in\r\njailbreak kits.\r\nOur investigation revealed five active command-and-control (C2) servers associated with the LightSpy iOS\r\ncampaign. Each server returned a JSON file containing what appeared to be deployment dates for the spyware,\r\nwith the latest observed date being October 26, 2022. Notably, the remote code execution vulnerability used to\r\ndeliver LightSpy to iOS victims was actually patched in 2020.\r\nThis raises the question of why infrastructure hosting outdated malware is still maintained. Since some samples\r\ncontained the label “DEMO,” it’s possible the infrastructure is used for demonstration purposes, showcasing\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 1 of 31\n\nLightSpy's malicious capabilities to potential customers. However, we found no evidence that LightSpy is being\r\npromoted as malware-as-a-service (MaaS) on any known attacker forums.\r\nWe also observed many code similarities between the macOS and iOS versions of the LightSpy implant,\r\nparticularly in the core functions and plugins. These similarities strongly suggest that both versions were\r\ndeveloped by the same team.\r\nWhile the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and\r\nprivilege escalation stages differ significantly due to platform differences.\r\nBased on our findings, we were able to map out the following attack chain:\r\nTechnical analysis\r\nInitial stage: index.html\r\nThe threat actor followed the previously observed approach to gain access to the target device: a WebKit\r\nvulnerability was used as an initial attack vector. This time it was CVE-2020-9802, which was fixed in iOS 13.5,\r\nwhile two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6. In both\r\nmacOS and iOS campaigns the exploits, which were used by threat actors, were published by the same security\r\nresearcher.\r\nThe URL of the exploit contained the same magic number as was used in Android and macOS campaigns:\r\nhxxp://103.27.109[.]217:52202/963852741/ios/IOS123-133/index.html\r\nFor the iOS versions lower than 12.3 different URL path was used\r\nhxxp://103.27.109[.]217:52202/963852741/ios/ios120-122/index.html\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 2 of 31\n\nThe usage of the newer WebKit exploit gave the threat actor the possibility to extend the list of supported iOS\r\nversions including version 13.3.\r\nDevice Supported iOS version\r\niPhone 6 12.3 - 12.4.1\r\niPhone 6+ 12.3 - 12.4.1\r\niPhone 6S 12.3 - 12.4.1, 13.0 - 13.3\r\niPhone 6S+ 12.3 - 12.4.1, 13.0 - 13.3\r\niPhone 7 12.3 - 12.4.1, 13.0 - 13.3\r\niPhone 7+ 12.3 - 12.4.1, 13.0 - 13.3\r\niPhone 8         12.3 - 12.4.1, 13.0 - 13.3\r\niPhone 8+ 12.3 - 12.4.1, 13.0 - 13.3\r\niPhone X         12.3 - 12.4.1, 13.0 - 13.3\r\nThe exploit consisted of 7 files, the main one was index.html:\r\nindex.html\r\noffsets.js\r\ndevice.js\r\nbinary.js\r\nprimitives130401.js\r\nwrapper.js\r\ngadget.js\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 3 of 31\n\nIn case of successful exploitation, index.html will drop in the system a file with a “.png” extension which is a\r\nMach-O binary executable.\r\nThe name of the file depends on the version of iOS: \"20012001330.png\" in case the victim had iOS version 13\r\nand above, \"20012001241.png\" for any older iOS versions.\r\nStage 1: Jailbreak\r\nFrom the code perspective, \"20012001330.png\" and \"20012001241.png\" are identical; the only difference is the\r\nembedded encrypted blob which contains URLs that point to supporting files and the next stage downloader.\r\n\"20012001241.png\" will download file \"aaa12\", \"20012001330.png\" will download \"aaa13\".\r\nThe threat actor created \"20012001330.png\" to trigger vulnerability CVE-2020-3837 using a “time_waste” exploit\r\nand a corresponding jailbreak kit. Technically, \"20012001330.png\" is fully based on the source code which is\r\npublicly available on GitHub. The unique feature is that \"20012001330.png\" will decrypt 0x340 bytes from its\r\nown body (by file offset 0x560d8) and will use the results as URLs. It will download files from these URLs,\r\ndecrypt and save them using hardcoded file names.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 4 of 31\n\nStage 1 main routine: configuration decryption, Stage 2 downloading and execution\r\nTo decrypt the URL configuration, the threat actor used the same XOR-chain algorithm that we saw in macOS and\r\nAndroid samples:\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 5 of 31\n\nThe notable moment that decrypted URL configuration blob contained five URLs, but we have found the\r\nreference only to three of them.\r\nStage 1 decrypted configuration\r\n1. hxxp://103.27.109[.]217:52202/963852741/csm/tem2/0914-3/aaa13, which will be saved as\r\n/var/containers/Bundle/jb13/amfidebilitate, is part of jailbreak kit.\r\n2. hxxp://103.27.109.217:52202/963852741/csm/tem2/0914-3/eee, which will be saved as\r\n/var/containers/Bundle/jb13/jbexec, is testing an executable. used to check if jailbreak succeeded. Both\r\namfidebilitate and jbexec are present inside other jailbreak toolkits, Odyssey and Taurine.\r\n3. hxxp://103.27.109[.]217:52202/963852741/csm/tem2/0914-3/bb, which will be saved as\r\n/var/containers/Bundle/bb is next stage payload, which is named ircloader or FramworkLoader\r\nThe other two files were:\r\n1. hxxp://103.27.109[.]217:52202/963852741/csm/tem2/0914-3/cc, is launchctl binary, which is used for\r\nachieving persistence. This executable file can set the executable to auto-start during the system boot\r\nprocess.\r\n2. hxxp://103.27.109[.]217:52202/963852741/csm/tem2/0914-3/b.plist, is a plist file that indicates that\r\nFrameworkLoader should start during system boot process.\r\nStage 2: FrameworkLoader (ircloader)\r\nThe next piece of the infection chain is “bb” file. From its static analysis results, we concluded that, originally,\r\n“bb” was called “loadios”, at the same time there are some strings that are related to “ircloader”. We also found\r\nthat the main Objective-C class was named “FrameworkLoader”, and this name fully represents the functionality\r\nof the “bb” file.\r\nThe presence of the ircloader stage was also reported in previous research: it was the file with MD5 hash\r\n53acd56ca69a04e13e32f7787a021bb5 and it was 10 times smaller in terms of file size. We noticed such a big\r\ndifference as a result of jailbreak code usage and additional logging code.\r\nFrameworkLoader will call two functions: _inject and trustBin, both threat actors copied from the \"jelbrek.m\" file\r\nof the jelbrekLib GitHub project.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 6 of 31\n\nGitHub jailbreak kit project\r\nFrameworkLoader decompiled code\r\nFrameworkLoader is responsible for downloading the LightSpy Core and related plugins. To do so\r\nFrameworkLoader, like \"20012001330.png\" file, will decrypt the configuration blob from its own body, this time\r\nusing AES ECB cipher with the key 3e2717e8b3873b29, the same key we saw in Android and macOS campaigns.\r\nStage2 decrypted configuration\r\nThis configuration points to C2 server properties:\r\nC2 IP address and port which will be used for communication by the LightSpy Core on further stages via\r\nWeb socket.\r\nURL address which will be used to download the Core and plugins.\r\nTo download the Core and the plugins, FrameworkLoader will append that URL with two file names:\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 7 of 31\n\njson, this file contains information on the LightSpy Core: deployment date, file name to download, and\r\nmd5 hash for the consistency check\r\nplugins/manifest.json, this file contains the plugin version number, class name, initialization parameters,\r\nname, URL, and md5 hash for integrity check.\r\nWe downloaded the version.json file from each active control server and it turned out that there were three unique\r\nversions of the Core and sometimes for the same Core version there were two different deployment dates:\r\nDate Core version MD5 hash for integrity check\r\n21/12/2020 7.7.1 4bbd20358202e618843ca23b90906122\r\n30/06/2021 7.9.1 6cc277a36e18725c88b6b48324be6497\r\n20/10/2022 7.9.0 66f0afaef75f871645458f672a21ae4d\r\n26/10/2022 7.9.0 66f0afaef75f871645458f672a21ae4d\r\nWe also downloaded the \"manifest.json\" file from each active C2, and the difference between the downloaded\r\nfiles was significant. For the group of two C2 servers, there were 28 plugins available, for the group of three C2\r\nservers there were 17, 18 plugins available for downloading.\r\nC2 Server Plugin count\r\n103.27.109[.]217 28\r\n103.43.17[.]99 28\r\n103.27.109[.]28  17\r\n43.248.136[.]110 17\r\n222.219.183[.]84 18\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 8 of 31\n\nThe download procedure of FrameworkLoader does not significantly differ from its predecessor, however, from\r\nthe execution point of view it was unique. To execute a payload, FrameworkLoader will make it trustable to the\r\nsystem using jailbreak API. Since the Core is a shared library file, the FrameworkLoader will execute it using\r\n“dlopen” system function: it will call “start:ipaddr:port:param:” method from MainA class of the Core, providing\r\nit with configuration:\r\nInstall path\r\nC2 IP address\r\nC2 port number\r\nCampaign ID\r\nLightSpy Core\r\nCompared to the implants for Android, macOS, and older iOS versions, the implant for iOS turned out to be not\r\njust one file but an archive with 9 files.\r\nThe archive had the structure of the regular iOS package as it contained for instance info.plist, a file that is\r\napplication manifest, which describes the application structure.\r\nplist – describes the structure of the package\r\nRootFS – part of jailbreak\r\nCodeResources – the file that contains signature data for each file inside the package\r\nJailbreakd – part of jailbreak\r\ndylib – LightSpy Core library that will be injected into SpringBoard process for microphone recording\r\npurposes\r\nlight – LightSpy Core\r\nloadJailbreakd – part of the jailbreak\r\np12 – signing certificate file which will be used to whitelist test file\r\ntest – LightSpy Core helper file, will call jailbreak parts to inject libcynject.dylib into SpringBoard process.\r\nSome executable files were signed using threat actors’ certificate with ID “yujing zhang (VG6JHJ2J8L)” and\r\nothers were signed with jailbreak certificate with ID “jiu de (DQF6PC5T2P)”\r\nCertificate “jiu de (DQF6PC5T2P)” was bundled into the archive as the file “signcert.p12”\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 9 of 31\n\nExecutable File Signature\r\njailbreakd jiu de (DQF6PC5T2P)\r\nlibcynject.dylib yujing zhang (VG6JHJ2J8L)\r\nlight yujing zhang (VG6JHJ2J8L)\r\nloadJailbreakd jiu de (DQF6PC5T2P)\r\ntest jiu de (DQF6PC5T2P)\r\nsigncert.p12 thumbprint:\r\nThe core is based on several frameworks:\r\nHLNetWorkReachability, for Internet availability check\r\nFMDB, for SQLite database creation and access\r\nSSZipArchive, to extract decrypted plugins Zip archives, resources.zip file, and to compress exfiltrated\r\ndata.\r\nLibwebsockets, for C2 communication\r\nThe Core serves several goals\r\nProvide device fingerprint\r\nTransport module – all communication with the control server will be done using only the Core.\r\nUpdater – the Core can update plugins\r\nCommand dispatcher – it will receive and store the commands, pass them to plugins, and send the\r\ncommand execution results back to the control server\r\nLogging – the Core will upload execution logs to the control server\r\nFunctions exporter – for instance, audio-related functions are exported by the Core and used by the audio\r\nrecording plugin.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 10 of 31\n\nAfter the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will\r\ncheck the arguments that were passed from FrameworkLoader as the C2 data and working directory. Using\r\nworking directory path /var/containers/Bundle/AppleAppLit/ the Core will create subfolders for logs, database,\r\nand exfiltrated data.\r\nSubfolder Description\r\nlog Log files that will be recoded and then sent to the control server\r\ndatabase Used for storing SQLite database\r\nplugins Plugins storage directory\r\nprivate Plugin data (exfiltrated data that should be sent) storage directory\r\nresources Directory for storing resource.zip which will be downloaded from C2\r\nThe Core is highly dependent on jailbreak functionality for its execution and for plugin execution. That is why it\r\nwill download an additional file “resources.zip” which also contains jailbreak-helping files which are related to\r\nthe jailbreak process on iOS version family 12.\r\nThe Core uses SQLite database named light.db to store the implant state, configuration, and execution plan. The\r\ndatabase structure is the following:\r\nTable name Description\r\nt_config LightSpy configuration including control server address and port\r\nt_plugin Plugin-related information including the URL address for each plugin\r\nt_transport_control\r\nNetwork configuration for each command (commands could be executed using Wi-Fi\r\nor Cellular network, or using both network types)\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 11 of 31\n\nt_command_plan\r\nConfiguration for C2 command for the Core and plugins, including execution\r\nfrequency\r\nt_command_record List of shell commands to execute on the device\r\nt_dormant_control Timetable for each day, hour, and minute when LightSpy should operate or sleep\r\nWhen all the communication with the C2 has been established and light.db is created, LightSpy will\r\nDispatch the following commands to plugins: 25004, 25005, 12004, 12005, 26004, 26005 (each command\r\nis described inside the further sections of this article)\r\nLoad dormant control configuration, which is a detailed precise implant wake-up plan\r\nLoad network configuration plan: which command should be executed using Wi-Fi or cellular network\r\nSend extensive fingerprint information about the infected device\r\nThe Core utilizes two more interesting functions\r\nIt can play sound files that are available in the following folder /System/Library/Audio/UISounds.\r\nOperators can set up the Core to play audio recordings for a certain timeframe.\r\nIt will execute the file “test” from the package archive. This file will try to inject libcynject.dylib into\r\nSpringBoard process.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 12 of 31\n\nThis “libcynject.dylib” file is also quite interesting: it is a shared library file that consists of Audio/Video\r\nrecording functions which are used by sound and camera recording plugins.\r\nAnother notable finding is the fact that this library creates a local server and binds it to port 9600 (0x2580); this\r\nport will be accessed by sound, camera recording, and PushMessage plugins. This fact proves that the threat actor\r\nused a network stack to communicate between the Core and plugins.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 13 of 31\n\nLightSpy plugins\r\nDepending on C2 configuration the Core can download from 17 to 28 plugins. A few of them were previously\r\nreported, but most of them remained unknown till now. A notable difference is that the threat actor extended the\r\nset of plugins with destructive ones.\r\nName Version Brief description\r\nAppDelete 1.0.0 Can delete messenger-related victim files\r\nBaseInfo 2.0.0\r\nExfiltrates contact list, call history, and SMS messages. Can send\r\nSMS messages by the command\r\nBootdestroy 1.0.0 Destructive plugin: can prevent the device to boot up\r\nBrowser 2.0.0 Browser history exfiltration plugin\r\nBrowserDelete 1.0.0 Destructive plugin: can wipe browser history\r\ncameramodule 1.0.0\r\nTakes camera shots. Can do a one-shot or take several shots for a\r\nspecified time interval\r\nContactDelete 1.0.0\r\nDestructive plugin: can delete specified contacts from the address\r\nbook\r\nDeleteKernelFile 1.0.0 Destructive plugin: can freeze the device\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 14 of 31\n\nDeleteSpring 1.0.0 Destructive plugin: can freeze the device\r\nEnvironmentalRecording 1.0.0 Sound recording plugin: environment, calls\r\nFileManage 2.0.0 File exfiltration plugin\r\nios_line 2.0.212 Line messenger data exfiltration plugin\r\nios_mail 2.0.10 Apple Mail application data exfiltration plugin\r\nios_qq 2.0.0 Tencent QQ messenger database parsing and exfiltration plugin\r\nios_telegram 2.0.211 Telegram messenger data exfiltration plugin\r\nios_wechat 2.0.211 WeChat messenger data exfiltration plugin\r\nios_whatsapp 2.0.212 WhatsApp messenger data exfiltration plugin\r\nKeyChain 2.0.0 KeyChain data exfiltration plugin\r\nlandevices 2.0.0 Wi-Fi network scanning plugin\r\nLocation 2.0.0 Location exfiltration plugin\r\nMediaDelete 1.0.0 Destructive plugin: capable of deleting media files from the device\r\nPushMessage 1.0.0 Plugin simulates incoming push messages that contain specified URL\r\nScreen_cap 2.0.0 Screen capture plugin\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 15 of 31\n\nShellCommand 3.0.0 Execute shell command\r\nSMSDelete 1.0.0 Destructive plugin: deletes specified SMS message\r\nSoftInfo 2.0.0 The plugin exfiltrates the list of installed apps and running processes\r\nWifiDelete 1.0.0 Destructive plugin: deletes Wi-Fi network configuration profile\r\nWifiList 2.0.0 Wi-Fi network data exfiltration plugin\r\nThe threat actor significantly increased the list of plugins. The threat actor paid a lot of attention to destructive\r\nfunctionalities. The table below shows the similarity between plugins that were reported in 2020 and plugins for\r\nthe most recent Core version. Similar plugins are highlighted with green color.\r\n2020 report Current report\r\n  AppDelete\r\nbaseinfoaaa.dylib BaseInfo\r\n  Bootdestroy\r\nbrowser Browser\r\n  BrowserDelete\r\n  cameramodule\r\n  ContactDelete\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 16 of 31\n\nDeleteKernelFile\r\n  DeleteSpring\r\nEnvironmentalRecording EnvironmentalRecording\r\nFileManage FileManage\r\n  ios_line\r\n  ios_mail\r\nios_qq ios_qq\r\nios_telegram ios_telegram\r\nios_wechat ios_wechat\r\n  ios_whatsapp\r\nKeyChain KeyChain\r\n  landevices\r\nlocationaaa.dylib Location\r\n  MediaDelete\r\n  PushMessage\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 17 of 31\n\nScreenaaa Screen_cap\r\nShellCommandaaa ShellCommand\r\n  SMSDelete\r\nSoftInfoaaa SoftInfo\r\n  WifiDelete\r\nWifiList WifiList\r\nWe will not cover the detailed functionality of the all plugins here. The full report which contains all technical\r\ndetails is available for the customers of ThreatFabric Fraud Risk Suite. Please contact us for additional details. \r\nThat being said, four plugins deserve mentioning.\r\nBootdestroy plugin\r\nThis plugin is responsible for preventing the system to boot up. The plugin consists of two parts: a main binary\r\nfile and a shared library file “zt.dylib”. The main part will load the library file and will try to find the symbol “zt”,\r\nwhich is a function that will spawn the shell and execute the following shell command: /usr/sbin/nvram auto-boot=false.\r\nDeleteKernelFile plugin\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 18 of 31\n\nThis is another destructive plugin: ipon receiving the command, it will rename the Wi-Fi daemon file from the\r\n/usr/sbin/wifid to /usr/sbin/__wifid and kill “wifid” process.\r\nThe threat actor called that \"Paralysis\".\r\nios_mail plugin\r\nThis plugin targets a specific mail client application which is called Mail Master by NetEase. The application\r\nsupports upstream accounts from different parties such as Outlook and QQ. So, it could act as an aggregator for all\r\nvictim’s mailboxes.\r\nThe plugin can access the Mail Master home folder by searching it using the bundle ID \"com.netease.mailmaster\".\r\nTo extract the data, the plugin will parse the following application database files “contacts.db” and “ghmail.db”.\r\nTo do so the plugin will execute SQL queries against those database files.\r\nAs a result, the plugin will send the victim’s account information, messages, and attachments to the control server.\r\nPushMessage plugin\r\nThis plugin can generate fake push notifications with the specified text. It will communicate with the Core using\r\nthe WebSocket library. The plugin will open port 8087 and will connect to port 9600 of the Core, it will then send\r\nthe text that came from the command to the port of the Core.\r\nThe Core part, which is libcynject.dylib, will listen to incoming connection and will check from which port the\r\nconnection came:\r\nIn case the connection comes from port 8087, the Core will call function “pushwindowd”, which will create an\r\nalert window using iOS API with the specified text and button with text “OK”:\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 19 of 31\n\nInfrastructure\r\nDuring our investigation, we found that the threat actor(s) used self-signed certificates to set up the infrastructure\r\non IP address 103.27.109[.]217.\r\nUsing opensource intelligence we found several servers that broadcasted the same self-signed certificate. To figure\r\nout which servers were related to the iOS campaign we made a GET request using the following pattern:\r\nhxxp://{IP}:52202/963852741/ios/version.json. If the server responded with a valid JSON file that contained\r\ninformation about the Core, we assumed that this IP address belonged to the iOS campaign. As a result, we came\r\nto the following infrastructure:\r\nIP ASN\r\n103.43.17[.]99 132883\r\n103.27.109[.]217 132883\r\n43.248.136[.]110 23650\r\n222.219.183[.]84 4134\r\n103.27.109[.]28 132883\r\nWe found that for the IP address 103.27.109[.]217 there were two open ports that contained administration panels:\r\n3458 and 53501. We reported the analysis of those panels in our blogpost.\r\nWe checked if those control servers could host administrator panels. It turned out that only 222.219.183[.]84 had a\r\nworking panel:\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 20 of 31\n\nVictimology\r\nThe design of the LightSpy iOS infection chain lets us formulate a hypothesis of the first stage exploit URL being\r\nintegrated into some legitimate or specially crafted web page. Victims had to visit such a page by themselves.\r\nIn 2020 security researchers noted that a Watering hole attack vector was used, it seems that for the LightSpy\r\nversions that were described in this report the same attack vector could be used, however, we do not have any\r\nevidence for that.\r\nWe guess that, since the whole LightSpy iOS tool set was designed to support a small list of iOS versions, the\r\ncorresponding Watering hole pages might have existed for a limited time frame.\r\nAs we reported in our blog post, one of the control servers had bad operation security which led to data leakage. It\r\nmeans that everyone could access that data which was exfiltrated from the victims. It turned out that this server\r\nlogged 15 unique victims and 8 of them were iOS devices. All those devices were infected with LightSpy Core\r\nversion 7.9.0 which we described in this report. 7 out of 8 affected devices were connected to the following Wi-Fi\r\nnetwork: Haso_618_5G.\r\nWe believe this could be interpreted as a test network. In some cases, the device's IP address was spoofed using a\r\nVPN connection. 3 of 8 devices had Hong Kong phone numbers, 3 of 8 had Chinese phone numbers, and 2 of 8\r\nhad no phone number detected. Only one victim looks real, which is also located in China, the last online\r\ntimestamp for that victim was Wednesday, 26 October 2022. \r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 21 of 31\n\nAttribution\r\nSince all the binaries of LightSpy that we downloaded from the C2 server contained information about source\r\ncode file paths, we tried to estimate how many developers worked on the project.\r\nWe assume that developers had a guide on how to name their dev-box usernames, so we got three different\r\nusername patterns: “air”, “mac” and “test”. At the same time, the source code subfolder paths differ within the\r\nsame user account. For example, user “air” hosted the source code in “work/znf_ios” subfolder and in “Project”\r\nsubfolder. It might be the case that there were two different machines with the same username “air” with different\r\nsource code folder structures.\r\nCore source code path patterns:\r\nPath 1: /Users/air/work/znf_ios/ios/\r\nPath 2: /Users/mac/dev/iosmm/\r\nPath 3: /Users/mac/hs/Xcode.app\r\nPath 4: /Users/air/work/RootFS\r\nPath 5: /Users/air/test/light/light/\r\nThe same picture we can observe with plugins source code file paths.\r\nPlugins source code path patterns:\r\nPath 1: /Users/air/work/English/{plugin name}\r\nPath 2: /Users/air/Project/{plugin name}\r\nPath 3: /Users/air/work/znf_ios/ios/ios_app/ios_framework/{plugin name}\r\nPath 4: /Users/test/project/{plugin name}\r\nAnother interesting developer’s footprint – header files which we have found inside plugin files. Xcode\r\nautomatically inserts user and organization names into header files which the developer creates during the coding\r\nprocess. Normally those files should not be embedded into the production binary file, however, some of the\r\nplugins for LightSpy iOS contained such a header file. Using those header files, we found six different developing\r\nenvironments.\r\nInterestingly in some cases it was possible to distinguish macOS region properties as Xcode automatically\r\nattached a Chinese character that could be translated as “year”\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 22 of 31\n\nLocale Username Organization name\r\nEnglish mac mac\r\nChinese mac mac\r\nEnglish rio Adobe\r\nEnglish air air\r\nChinese test test\r\nChinese Nengfeng Zhu mac\r\nIn summary, based on the header data with source code paths, we assume that there were at least three developers,\r\ntwo were focused on plugin development and one was a lead developer that was focused on the Core and privilege\r\nescalation part.\r\nConclusion\r\nThe LightSpy iOS case highlights the importance of keeping systems up to date. The threat actors behind\r\nLightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver\r\npayloads and escalate privileges on affected devices. However, using \"1-day exploits\" (exploits disclosed\r\npublicly) provides only a short window for attackers to target victims, without guaranteeing a successful takeover.\r\nTypically, security researchers follow a responsible disclosure process, publishing details only after vendors\r\nrelease updates to the majority of affected devices. This allows most victims to update their devices before\r\nattackers learn about the vulnerability. Unfortunately, this process isn't foolproof. Some users, particularly in\r\nregions like China, may not receive updates due to restrictions from the “Great Firewall,” leaving them vulnerable\r\nuntil they can access a new device with an updated iOS version.\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 23 of 31\n\nAnother notable feature of LightSpy iOS is its destructive capabilities, such as wiping the contact list or disabling\r\nthe device by deleting system-related components. This suggests that the threat actors valued the ability to erase\r\nattack traces from the device. Interestingly, only one control server contained these destructive options, while\r\nothers had a more limited feature set. This may imply that the destructive features were a \"demo\" intended to\r\nshowcase capabilities to potential LightSpy customers.\r\nFinally, an interesting observation was found in the location plugin. The plugin contains a function that\r\nrecalculates location coordinates according to a system used exclusively in China, strongly indicating that\r\nLightSpy operators are likely based in China.\r\nSince the threat actors use a \"Rootless Jailbreak\"—which doesn’t survive a device reboot—a regular reboot can be\r\na best practice for Apple device owners. While rebooting won’t prevent reinfection, it may limit the amount of\r\ninformation attackers can exfiltrate from the device.\r\nAppendix\r\nIndicators of compromise\r\nControl servers\r\nIP addresses\r\n103.43.17[.]99\r\n103.27.109[.]217\r\n43.248.136[.]110\r\n222.219.183[.]84\r\n103.27.109[.]28\r\nFile SHA256 hashes\r\nInitial stage\r\nindex.html\r\n02dd4603043cca0f5c641b98446ecb52eaca0f354ad7241d565722eaaa0710f4\r\ne4e2eccc3a545a3c925fe4f54cb1f9c7d6259098c01659781900876543a89eba\r\nbinary.js\r\n347a82e5ab252da7a17ab5b9ab1f9cfaeb383cd2fdd1ae551569da9acd952633\r\ndevice.js\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 24 of 31\n\n0682f6855b5c046f65e021bd9834d22314a7797a6a8c621ebc203bf2520080e0\r\ngadget.js\r\nf31b9ca07b9d70aee742d92e2b8f7c9ea6033beff6b85a64900cfd7b8878c3a0\r\nint64.js\r\n1339966b7e8d291af077f89ae566c613604f642c69a1b0e64a17f56aee1ff970\r\n6ee4590714ce28e2f1730aa454fff993c669c3bb2ff487768abe13687946241c\r\noffsets.js\r\nc3acb5e1ea8965a1202f932518c052bfac77bfbc5b64a01a5538e51174f97c36\r\nd9c147b65499ac7ca4d7ab8cab5367092f4ea5158a10da82e96ac8b732320ad2\r\nprimitives130401.js\r\ndd0f33e40d7f2af5d993286ae4d13948c4aab92b26963a37f650160427fc78a6\r\nwrapper.js\r\nca3254c5eada6456085d83c8360d043f21e7fb25ff5ac5296b3fd090fe788f02\r\nutils.js\r\n165d5292aab6128321fadfb0b9c5b8111eb1bf0ec958d7ca82c03319dc9d9db3\r\nStage 1 (Jailbreak)\r\n20012001241.png\r\n5cdcb1cacb27c539494e02aba7e264e0959741184215c69da66a11a5815c5025\r\n20012001241.png (decrypted)\r\n89ff38bd4a8c2773447eacd6c3fe82a92e02aa68b7efae8aae42b1b9f01a4807\r\n20012001330.png\r\n3cf03ce0ed2b9840d8d9ed467d105df177dac2818101964c97ba9a281a180558\r\n20012001330.png (decrypted)\r\n9cf003a978eac7a68e1f6762df61aa22f68280c0df91042a249b501e75ff1d92\r\n200000112.png\r\n57bd2d8ecd457fe4f14178d2401960db720d1e2590d283fd6026ce1373355ccc\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 25 of 31\n\n200000112.png (decrypted)\r\nbd2a6d543564963960faafd83b1fbe12b238b38e797be35596a38cc560d029b7\r\naaa12\r\n26644ef5c8118d88b98648058ea5e9561b3bef983b78e6d91964cb392c12d273\r\naaa12 (decrypted)\r\n6d6301a1221283beb09cca91d2430f3ca979b540db37b129a26c646dcafd9745\r\naaa13\r\n22490eb6347283328220f33df497e67148253e29175d97446f4fdc7b7d5caef8\r\naaa13 (decrypted)\r\n0da53982d0be92399a077f6eae9fa332e8b736ff16425b4343eefb5e8d2869d4\r\nb.plist\r\n9dbb13077a6e72fc191b8ebfb4ecf04007e98ffa0792b3fcf5971dbc30137257\r\n942b80ada65ae0a9f4f3c9a0f5ee91833c9c3217afee228a81c0d9d75e9e755c\r\nb.plist (decrypted)\r\n9a8103f28152ba0e82a7775fcd83e05cf0c3e301fae031091e8a326047984b74\r\ncc\r\n9086ff8136674efcbbd7afb5f816904e1f0094a44315b69268ecb977a16370e6\r\n78bf7dd28083c1d2b0b1367729465b313a6cab58c8548db4ec20d753621e82ec\r\ncc (decrypted)\r\n040e8f236cd6e2e5d5a051d7cbb499df1fab371feee9ec78e1eb60f3ccdcc51c\r\n040e8f236cd6e2e5d5a051d7cbb499df1fab371feee9ec78e1eb60f3ccdcc51c\r\neee\r\nfe0f16851e01bdd70edbc14da4ecef5baa7119a57b580b7ea6ba8800af59546a\r\neee (decrypted)\r\n8e3730a06ef97a3481df55e8e9043ad97899834d42970ed9feffad220723b7b3\r\nStage 2 (FrameworkLoader)\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 26 of 31\n\nbb\r\n798c1bb247eb2bb61d2c4c9a946e067748dad20659c6d9321a352956ace79748\r\n9db4584225eaaaf7b983683351519912fd56cc51ce93b8b08d463fd2ac9fadf2\r\nbb (decrypted)\r\n2fd90d6feeedfe9dcd3c1f386030a46d6a8cc9e2e19db6fb67cca5a85cf51064\r\n63c5582cb496a8494fd5e6146c7ad32abc15ef133553aa9e71145518c8101291\r\nStage 3 The Core\r\nlight.framework.zip\r\n978218c1f6e043c80868d2da3e0365d0e4dcc74b8e4567a69081d2f313951d8f\r\n0ed3f82059f6aa098bfbcc8c2cc5c858e1e2db29920ac67713f9f31d4de739dc\r\n9e4e2c92037f43441376685af7f30c6df602ed9706715073e696a6a178a4b5d7\r\nlight.framework.zip (decrypted)\r\n27d982e7d5dddebf3c6a6568f902b7da7bb72f5cda411d61020077db4a3fcbeb\r\nb8f355887534dc9cebf7035968bef8840190310c043fd2a8b156050a798a65a6\r\n8e4d656e2952b961d79301764b2e630d07a5bcba0a43bba3e7e4f078b2525600\r\nInfo.plist\r\n0b3e632e8d0f6ae556f9c76b7b4f4d1e63cabdcb98f58770150122d63457abf1\r\nRootFS\r\n0e50423f5901dd214a049d362d05635c9dba425a630c2068dde5ed80d669da84\r\njailbreakd\r\n585ddcf1caf2d0a0df98cf3c85e6aa16a54a9b307372d08385e3710fceb6c3ee\r\nlibcynject.dylib\r\n9d035cd54e1558119984e7639d5378618a384d34376194e18e44c07625b6f077\r\n8383ee925a2eb5d709e4146c1bc492257e5ccb4d1801dd5a734ca69f269def64\r\n2140684b7ed8b4822cf55a3fb65a322b46f1b173b7a5f09cc355d18383b1a2bb\r\nlight\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 27 of 31\n\naf776575806413078163d239194942e3a8c11e1aec2721e429f31c57cd2daf26\r\n5777d14d3de3311a198f43006f515362a6d034b3937f7065090cd682687e807a\r\n6da8cdf5c3327ab57ff8f454aafa764e83942fdfa2e3b166781e08f18cc931dd\r\nloadJailbreakd\r\ndd6297282a98ca461dc836fc85b4ad42430aef98f5b643dcc5fc7fc75606b40f\r\nsigncert.p12\r\n646f57d27fa1b3f6cc57fa0c0f1bc4bf9f92c3991e6da2a50a23b09c77f5d8d4\r\ntest\r\n93d5438f2403bca4efac38b879d9557508c2490d8a905e44ded3adcecc278628\r\nStage 4 (Plugins)\r\nAppDelete\r\n3a9460ed21ec66e32d912df891fef4c96a9124a4cb276531b2fc4dc17a1bcc3f\r\nBaseInfo\r\n1f77953f4ced82c4a5df3e7a85643054ef4bc5fe9dd13f87a9f042c5986b3169\r\n9ba7ece4355dddc5191df82b8da156ad21273ad8f0ecaedbf56daaf646f69831\r\nBootdestroy\r\ndd08c6f797f068a267f997895651dadf9dda7e0fc5f7cb66302934a7269839af\r\nbrowser\r\n165931a104f1d047e6afcc72adfece7841e5564d787c1b226c18ef0fb738883b\r\n31466e06d8bea3f2b567be103a630fe2b2249c3818efd45de37f8c3bbe248984\r\n5051bb42d4afaa4617fd4e8b25554bb84418dce29f3ae598bf9be7251a66e227\r\nBrowserDelete\r\n36f72df74306363676488ef2f6842c653fd565b7a50ad6867ceb0b95cab40411\r\ncameramodule\r\n02f36b26b73cd4fe632e45fc1d668b57045068e167d737f9befa652046880561\r\n5e46d2905fc4f3f8971c7b24da970766410e2cfac00a733709829e80c69c2613\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 28 of 31\n\n604aaee47b82b873fd7c0645813fc587948bdd86a4efd6b7761a7b46f0f1a262\r\nContactDelete\r\n15528f109da5ffd687e41eb1a193ff28711bc6054a538b7ba58eef3fbaf10b09\r\nDeleteKernelFile\r\ndb66cd7f1a84d29977af4c9eecc36c84e42903766401a2760ea4321b71ba92ff\r\nDeleteSpring\r\n2af751cc194213a40aa8b1cd6f589da260cea81c0509bd694ae28dfca87cd160\r\nEnvironmentalRecording\r\n4aada58332ee97163bbd04754d85fb08df67fc6c1bfade8f041550a2a7c69128\r\n5bdcd83c8561255764f91fda531e8cbdda808600eb75758e44e66df3d1ae1311\r\na236291133f6ba262d5531bfa7840f07489a948c3dcf18865f2a0612f4890064\r\nFileManage\r\n1218ea3d7e16af38f3aec50a3011f69df51b1347145dcb74b67927a3af971ae1\r\n7802b373a8c26211d0c2624910a414555fbc509d46ab9fb8aad5f2686d98dd8e\r\nios_line\r\n152a7b8c6a203f4e0d38b7a82257f186f03dd8a1182b614c6bb5630a9342c37d\r\n6d22cb1bc700b00ea23041566de48d6e13ac7cf9f0680c8d3148cd10fa2c2c77\r\nc5d84c20a379320bd06ab09ed84c5cd2003cbb0e518f561853fc0c9f9970d49a\r\nios_mail\r\nb7dd27414ba4afddaf946e4ab9d8d775a511f3ad99933bde19456216477f3716\r\nios_qq\r\naa81f6dc28086656a6e69c7a696e6fedf6e35b242dc072ee7960449c806af7ae\r\ndc9aa56c3e2237b756233ef4547cd64e7aa6c547a7ca13833b73e774e79a6d6d\r\nios_telegram\r\n9c86203004ed0a519d8dcc674fd0e4b1b736289ea5f33e37b4dddd111767fd37\r\nc380de365c6a91adc5db9642eb63a305fbc1bd01d2a0037f7511d48694a1e079\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 29 of 31\n\nios_wechat\r\n6ad214703eed1105fe282a8b5e961205e735c1ed7d2bd3a624032a7d1063621a\r\nbdfb0e52ebb6f79d37736fab0150cfb96e2965d62c242adc830b6aab7b1d37db\r\ndee36d6a25dfa2c8e8a22e99138a650cddee0089a006c703b85b253153f9b22c\r\nios_whatsapp\r\n0d23ab0ad7dc6f7ead847d92631349a387b6b365057ecae3038dda4763448d9e\r\n90ac267222e38ce06724527fb780816db57bef12b939d37d6d827b826fa909d7\r\nKeyChain\r\n3078a4d36bb1eaad82f54e8e93be89eaa5cd5d25c709605edbf29b60c293d848\r\n8b686507065623248f8292524195c39d4ae94e2a7a1315bb9d8a22178a5b1942\r\nlandevices\r\n7fe822ef8e51efece5c0c6540aeeb454985ab91518aad12c6bf24c025a0350fe\r\nab2e44005cb63c0c506288b9e63abb254e83b8f3bb1f1349a4cb02a45bdc47f4\r\nLocation\r\n4163f6a184b0f1f23db81d2c3ab5e4ef305eb1967905efca01eacd51e4fbf55d\r\n562ae257506a25de48019cb13947090d164181ba4e107ea19a0ab8274ad696df\r\nMediaDelete\r\nddd950ddceff147922cef44f781c2c4b77b6e803613f83761ee6d5e2bb1450b7\r\nPushMessage\r\n0f651fcf352fbf929e639a825145b68ece8cfcd09359fe8fe017b07e1e0dcfca\r\n3c3aca2a6d4a4f7210c869affe55e05b55c110d53fc3fb9d46cb2847fb115238\r\nScreen_cap\r\na3fcaf7b16ea46100c1cadbbf770492de07633afb4720c78fd1981627aa9f3c6\r\ne3fc4fa2903e5f1039145913d9054a0f6ccb76afa07add3a00f71f7433b740ab\r\nShellCommand\r\n1662207a892ed36af2012870aaaf884985a0ebe0e92be60c5d9c84ffe78e8cba\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 30 of 31\n\nc4e5dc5f301a5be652b4cf491c7337dd0d15f4b09982e5a361d06dccba95a32d\r\nc94e28acf97eb774da50d4fbd17f2d9dc5f390b193fbf417750c68ed77ffbf46\r\nSMSDelete\r\n6a5d7e2c950960d9a541ff27e9c74185d27564f879d42f261f70f8f7cb70b5ce\r\nSoftInfo\r\n2689e08a103682095ef8eba016f28909199cb4365b84c815183be64686a11084\r\n55f1e618ad53489a2cab0744381d92a5d97c3e0355a9a912eb616c37b9b914d9\r\nWifiDelete\r\n98dc1fb1773277bbea2bdeaf88b1ece101b5b0e7aec2857017268001a6996e9f\r\nWifiList\r\n32f2348a5cd8de57f3b1c6b68f4b95c4e1c9d2b55f257bd0c2deca7f81ad1c4c\r\n690b7c2017de6dacfeed4f6ec70403ba7fa10cc457eb996ed4cac1b4d4ac27cf\r\nzt.dylib\r\na4fafd63213a40447841e853f341ca3a0afd08adfcfb630c8f34b5fabfac0462\r\nSource: https://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nhttps://www.threatfabric.com/blogs/lightspy-implant-for-ios\r\nPage 31 of 31",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
	],
	"report_names": [
		"lightspy-implant-for-ios"
	],
	"threat_actors": [],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f068f1cba4a7f79f5f27f000513fcf05c4abf456.pdf",
		"text": "https://archive.orkl.eu/f068f1cba4a7f79f5f27f000513fcf05c4abf456.txt",
		"img": "https://archive.orkl.eu/f068f1cba4a7f79f5f27f000513fcf05c4abf456.jpg"
	}
}