{ "id": "51386f7d-1b0b-49fa-8f26-73dba1bfe841", "created_at": "2026-04-06T00:11:26.068543Z", "updated_at": "2026-04-10T13:11:33.314373Z", "deleted_at": null, "sha1_hash": "f63f6509fe4d203b9b13892ba5c1eeb527241f57", "title": "LightSpy mAPT Mobile Payment System Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7506967, "plain_text": "LightSpy mAPT Mobile Payment System Attack\r\nPublished: 2024-10-01 · Archived: 2026-04-05 18:33:41 UTC\r\nIn July 2023 our colleagues from Lookout posted a report about two families of Spyware: DragonEgg and WyrmSpy,\r\nresearchers attributed both families to the Chinese APT-41 group. We performed our own investigation and linked\r\nDragonEgg to sophisticated iOS implant LightSpy and its Android component which was reported by TrendMicro and\r\nKaspersky in 2020. During our investigation, we obtained the Android implant Core and its 14 related plugins from\r\n20 active servers, two of those plugins revealed new TTPs, that were not published before. \r\nResearch Summary\r\nThreatFabric discovered the Core of the LightSpy (aka DragonEgg) Android implant and set of 14 plugins that\r\nare responsible for private data exfiltration\r\nLightSpy was a fully-featured modular surveillance tool set with a strong focus on victim private information\r\nexfiltration such as fine location data (including building floor number) and sound recording during VOIP\r\ncalls \r\nLightSpy is capable of payment data exfiltration from WeChat Pay backend infrastructure \r\nLightSpy is capable of hooking audio-related functions from WeChat to record victim's VOIP conversations\r\nLightSpy and AndroidControl (aka WyrmSpy) shared the same infrastructure, AndroidControl could be a\r\nsuccessor of LightSpy. \r\nThe threat actor group had active servers in China, Singapore, and Russia\r\nWe revealed that potential targets of the threat actor group could be in the APAC region\r\nBackground\r\nAfter reading the Lookout report two questions remained for us unanswered:\r\nFirst question: Was DragonEgg connected to LightSpy? Inside the code of the provided samples, we noticed the usage\r\nof the word \"Light\". The second question was: are there more active control servers that remained unnoticed by the\r\nsecurity industry? \r\nTo confirm or reject our theories we decided to start our own investigation. As a starting point, we fully reverse-engineered provided hashes and it turned out that the provided samples were two stages of the infection chain, one\r\nstage loads and executes functions from the other. Those stages are not always standalone applications but plugins\r\none for another.\r\nThe first stage was patched Telegram messenger, and the main function of the injected code was downloading the\r\nsecond stage file which was called \"smallmload.jar\". The samples of that jar file were among the provided files from\r\nthe report. It was clear that smallmload.jar was capable of downloading something unknown which is called T1. So\r\nthis T1 became our main goal. We extracted the network-related pattern that relatively uniquely identifies the threat\r\nactor infrastructure: for the communication with C2 two different Non-Standard ports were used 52202, 51200.\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 1 of 24\n\nLightSpy configurations\r\nT1|http://103.43.17[.]53:52202/963852741/mmfile/ads/|103.43.17[.]53:51200||S13|377|423\r\nT1|http://118.193.39[.]165:52202/963852741/mmfile/ads|118.193.39[.]165:51200||S3|telegram|2|1\r\nT1|http://121.201.109[.]98:35902/963852741/mmfile/ads|121.201.109[.]98:35900||S3|telegram|18|186\r\nTogether with those two ports, we extracted from the samples the URL where the second stage payload\r\nsmallmload.jar should be hosted:\r\nhttp://118.193.39[.]165:52202/963852741/mmfile/ads/smallmload.jar\r\nWe searched for hosts which served ports 52202 and 51200 and on which smallmload.jar was available for\r\ndownloading by the path above. \r\nLuckily there were 20 such servers online, some of them had the same port numbers and others had similar ports like\r\n43201, 43202, 43203, 21202. \r\nWe were able to download second stage (smalmload.jar) payloads from those servers with the following hashes\r\n407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c\r\nbd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99\r\n407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c remains poorly detected.\r\nWe assumed that if smallmload.jar is still available on multiple servers the third stage - T1 (or as it is called inside the\r\nsecond stage -  Core), could be also available. \r\nTo confirm that assumption we analysed those two samples that we downloaded and found that smallmload.jar will\r\nquery C2 server of the following file: http://{C2host}:52202/963852741/mmfile/ads/version.txt\r\nAs a result, the server will respond with a version.txt file which contains key-value constants describing the payload,\r\nfor example:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 2 of 24\n\nThese three fields mean the following:\r\ndate: This field is not used in code, however using this parameter we can track the timeline of LightSpy\r\ndeployment more accurately, similar to analyzing the file timestamps inside the payloads\r\nfilename: This file name that smallmload.jar should download from the server\r\nmd5: Hash of the file for consistency check.\r\nSmallmload.jar will download a file with the provided file name and will call functions from that file.\r\nSo the main field for us was the filename, which we should try to download from C2 server. \r\nAs we already found two dozen control servers, we tried to query those servers for the same txt file. The servers\r\nresponded with the payload description file “version.txt”. Those text files sometimes contained different dates and\r\ndifferent MD5s. We downloaded all the Core files and extracted versions. While correlating the data from the\r\nconfiguration file, the version that was hardcoded into the payload and zip archive timestamps, we came to the\r\nconclusion that the threat actor group has acted for quite a long time. The earliest date that we observed was 11\r\nth\r\nDecember 2018 and the latest 13th of July 2023.\r\nNine of the twenty servers that we revealed during our investigation returned the same configuration that contained\r\nthe following MD5 hash e444c12808ef037487a50b0bb42e4145 and the name “bbbb.jar.\r\nThe hash e444c12808ef037487a50b0bb42e4145 represents the LightSpy core version 6.5.24 which is supposed to be\r\nthe most recent one. We will cover this version in this report.\r\nTechnical analysis\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 3 of 24\n\nThe LightSpy core\r\nThe LightSpy core as a payload cannot run as a standalone application, as it is technically speaking also a plugin. At\r\nthe same time, it turned out that the Core is responsible for the orchestration of all the functions that are crucial for the\r\nwhole attack chain.\r\nThe main goals of the Core are:\r\nGathering device fingerprint\r\nEstablish a full connection with the control server\r\nRetrieve commands from the server\r\nUpdates itself and additional payload files or as they were originally called plugins\r\nLooking ahead we can say that the Core is even responsible for exporting the C2 communication function that will be\r\nused inside the code of LightSpy plugins which is the main story of this report.\r\nWe can also reveal the structure of the LightSpy as modular spyware:\r\nLightSpy Core is extremely flexible in terms of configuration: operators can precisely control the spyware using the\r\nupdatable configuration. To store that configuration, commands, and plugin data the Core will create a SQLite\r\ndatabase named “light2.db”. The database structure is the following:\r\nTable name Description\r\nt_config LightSpy configuration including control server address and port\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 4 of 24\n\nt_plugin Plugin-related information including the URL address for each plugin\r\nt_app Carrier application permission status list (for example infected Telegram permission list)\r\nt_command_record\r\nt_transport_control\r\nNetwork configuration for each command (commands could be executed using Wi-Fi or\r\nCellular network, or using both network types)\r\nt_dormant_control Timetable for each day, hour, and minute when LightSpy should operate or sleep\r\nt_command_plan Configuration for C2 command for the Core and plugins, including execution frequency\r\nThe core will provide its status to the operator as well as the status of plugins, and their versions if they were\r\nsuccessfully downloaded.\r\nLightSpy can receive several commands within one request and insert them into the so-called Command plan –\r\nt_command_plan table. The Core will fetch that table and execute each command using the corresponding frequency.\r\nDuring our investigation, we received the following set of commands as the initial set:\r\n{ \"cmd\":10021, \"command_list\": [ 13002, 18001,  18002,  19002, 19003 ] }\r\nLightSpy Core communicates with its C2 in two ways:\r\nWebSocket is used for command delivery and control.\r\nFor example, the list of URLs with plugins is delivered through the web sockets channel.\r\nHTTPS channel is used for exfiltrating data.\r\nFor example, execution logs with exceptions and exfiltrated camera shots are uploaded through the HTTPS channel.\r\nFor both communication channels, the same host and port are used.\r\nWhen all the communication with C2 has been established, LightSpy will send extensive fingerprint information\r\nabout the infected device which includes full device specification, and cellular and Wi-Fi network information. \r\nTechnically the Core does not contain special spyware capabilities except fingerprinting of the device. In the\r\nmeantime, there are several notable sections of the code which we have to cover:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 5 of 24\n\nDormant configuration that controls when the Core should wake up and exfiltrate the data or communicate\r\nwith C2. When the Core starts it fetches the initial configuration which contains all the weekdays and\r\ncorresponding constants. The Core will parse those constants using a bit masks:\r\nNetwork configuration for each command, using this command the operator can change the way LightSpy\r\nwill communicate with its C2 for each plugin and command.\r\nLightSpy Core supports 24 different commands, one of them - CMD_GET_UPDATE (10005) was the most\r\ninteresting. With this command, the operator can force the Core to update itself and update plugins. The C2 will\r\nrespond with the JSON containing the list of the plugins. The JSON will contain the version, name, execution\r\narguments (if applicable), execution entry point (class), URL to download, MD5 hash to check for consistency. \r\nWe tried to query all the C2 servers for such a list of plugins and the result was almost the same for each C2.\r\nThe LightSpy plugins \r\nAn interesting detail is that criminals used payload decryption inside the Core to process the payloads. The decryption\r\nprocess involves a one-byte XOR used with the key stored inside the encrypted payload. So having a payload there\r\nwill create no issues during the decryption process. \r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 6 of 24\n\nThe same decryption was inside the second-stage downloader (smallmload.jar) for the Core decryption.\r\nAt the moment of research, the list provided by C2's contained 14 different plugins:\r\nPLUGIN VERSION Brief description \r\nsoftlist 3.3.3\r\nExfiltrates the list of installed/running applications and active usernames using\r\ntoolbox/toybox utility and superuser access\r\nbaseinfo 2.3.4\r\nExfiltrates contact list, call history, and SMS messages. Can send and delete\r\nSMS messages by the command\r\nbill 1.2.18 Exfiltrates payment history from WeChat Pay \r\ncameramodule 2.6.1\r\nTakes camera shots. Can do one shot, continuous shot, or some event-related\r\nshot (for instance phone call)\r\nchatfile 1.3.4 Exfiltrates data from different messengers’ folders \r\nfilemanager 3.0.5 File exfiltration plugin\r\nlocationmodule 2.6.5 Precision location tracking plugin\r\nlocationBaidu 2.6.6\r\nAnother location-tracking plugin using different frameworks and Android native\r\nAPIs\r\nqq 5.1.71 Tencent QQ messenger database parsing and exfiltration plugin \r\nshell 2.2.4 Remote shell plugin\r\nsoundrecord 2.7.4 Sound recording plugin: environment, calls, VOIP calls audio exfiltration \r\ntelegram 7.3.221 Telegram messenger data exfiltration plugin\r\nwechat 6.7.271 WeChat data exfiltration plugin\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 7 of 24\n\nwifi 2.3.3 Wi-Fi network data exfiltration plugin\r\nWe will not cover the detailed functionality of the all plugins here. The full report which contains all technical details\r\nalready available for the subscribers of ThreatFabric Fraud Risk Suite. Please contact us for additional details. \r\nAt the same time, three plugins deserve mentioning.\r\nLocationmodule plugin \r\nThis plugin is responsible for location tracking. The operator can request the current location as a snapshot or can set\r\nup location tracking during specified time intervals. For the geofencing mode, it’s possible to configure the accuracy\r\nor power-saving mode to minimise battery consumption.\r\nThe plugin is based on two different location-tracking frameworks:\r\n1. Tencent location SDK\r\n2. Baidu location SDK\r\nThose SDKs are capable of tracking victims using the GPS module of the device as well as Wi-Fi and GSM modules:\r\nMoreover, those SDKs can track victims inside buildings, including the current floor, giving the possibility to spot\r\nvictims with extreme accuracy:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 8 of 24\n\nSoundrecord plugin\r\nThis plugin is responsible for recording audio. \r\nIt’s capable of starting immediate microphone recording by a command using a specified duration (interval). \r\nThe plugin can also start microphone recording in case of incoming phone calls.\r\nDepending on the Android version the plugin can act differently:\r\nIn case the device’s Android version is above Android 9, the plugin will initiate microphone recording using regular\r\nJava API (corresponding class is PCSR_9) using AudioRecord class:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 9 of 24\n\nIf the Android version is below 9 the plugin will use a native library (the corresponding class is PCSR_2). Inside the\r\nplugin archive, there is a library called libacr.so. This library exports recording start/stop functions.\r\nThis library contains obfuscated strings. The encryption is a combination of Base64 and one-byte XOR, using key\r\n0x1a.\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 10 of 24\n\nDepending on the device manufacturer, the plugin will start the recording using start7 or start3 native function. These\r\nfunctions will search inside the address space of the current process Android native libraries libmedia.so or\r\nlibaudioclient.so. The plugin will call the function getInputPrivate to initialise audio parameters from AudioRecord\r\nclass and the function get_audio_flinger from AudioSystem class to create the audio recording.\r\nThe plugin is also capable of recording WeChat VOIP audio conversations.\r\nThe way that the functionality is performed is quite unique. Such a recording is also created using a native library\r\nwhich is called libwechatvoipCoMm.so.\r\nLibwechatvoipCoMm.so library is based on the Dobby hook framework. Using that framework, the plugin will hook\r\nthe following functions global_init, global_recordCallBack, global_playCallBack, global_uninit from the\r\nlibvoipMain.so library. This library belongs to WeChat messenger. So, the plugin will modify those functions so that\r\nthe VOIP call will be also recorded.\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 11 of 24\n\nThere might be two cases where such a functionality is possible \r\n1. The device was rooted, the SU binary was onboard and LightSpy will abuse superuser privileges \r\n2. The carrier application was WeChat, so the implant is loaded into the same address space as WeChat.\r\nThreat actor provided the code for both possibilities: the LibwechatvoipCoMm.so library will search for WeChat\r\naudio library inside its own memory address space as well as the whole system address space using proc file system:\r\nThe developer left some debugging information inside libwechatvoipCoMm.so:\r\nG:/android/znf_android/Recorder/soundrecord_plugin/SoundRecord/src/main/cpp/Dobby/source/core/arch/CpuFeature.cc\r\nThis information contains the developer's working directory and source code file names. \r\nFinally, the plugin will insert a custom header into each recorded audio file: #!AMR.\r\nBill plugin\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 12 of 24\n\nThis plugin is responsible for crawling the payment history of the victim from WeChat Pay (Weixin Pay in China).\r\nSuch a history will contain the last bill ID, bill type, transaction ID, date, and payment processed flag.\r\nTo perform such a functionality the plugin will create a WeChat web view, opening the following URL address:\r\nhxxps[:]//wx.tenpay[.]com/userroll/readtemplate?t=userroll/index_tmpl\u0026cid=1474\r\nUsing IPC communication with this web view, the plugin will authenticate itself inside WeChat Pay infrastructure.\r\nThe plugin has a configuration indicating which web view name to call from the WeChat application depending on\r\nthe version of WeChat:\r\nSame as with soundrecord plugin such communication could be possible using superuser privileges or while LightSpy\r\nwas loaded into WeChat address space. \r\nAfter successful authentication, the plugin will store CSRF tokens to be able to directly communicate with WeChat\r\nPay infrastructure. Using that token the plugin will perform a HTTPS request asking for the last 20 transactions of the\r\nvictim. As a result, the plugin will receive the transaction IDs, which the plugin will then use for the next requests to\r\nWeChat Pay system to finally get transaction details.\r\nInfrastructure\r\nWe found that LightSpy infrastructure contains several dozens of servers located in China mainland, Hong Kong,\r\nTaiwan, Singapore, and Russia. As some servers return different commands and payloads, we can probably say that\r\nfor each campaign attackers used different IP addresses or domains. At the same time, as some servers return the\r\npayload, which is supposed to be compiled in 2018, we assume that the attacker can reuse the same infrastructure for\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 13 of 24\n\nseveral attack campaigns. Another hypothesis about long-living servers is that often people in the security industry do\r\nnot find/disclose those servers, so there is no need to change the IP addresses.\r\nWhile we were analysing LightSpy infrastructure we found two notable moments:\r\nConnection between LightSpy and AndroidControl (WyrmSpy)\r\nWe took the IP address that was hardcoded into the Core, the same IP address was disclosed inside the Lookout\r\nreport.\r\nIt turned out that 35900 port was closed, and the host did not respond to LightSpy requests. At the same time, there\r\nwere several opened ports that served https.\r\nPort 11090 had the https server which was secured using an expired certificate with SHA256 fingerprint\r\nf0fc2c418e012e034a170964c0d68fee2c0efe424a90b0f4c4cd5e13d1e36824\r\nThere were two more hosts with the same services and the same certificate. Both hosts had port 443 opened, which\r\nserved an admin panel called AndroidControl v1.0.4\r\nThere was a third host with the same favicon (MD5 hash 542974b44d9c9797bcbc9d9218d9aee5) that hosted the same\r\npanel. The panel on this host was misconfigured, disclosing the backend endpoints that should be used for\r\ncommunication between frontend and backend:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 14 of 24\n\nThe first interesting point is the “control” endpoint, such an endpoint was inside the WyrmSpy samples that were\r\nreported by Lookout.\r\nTo confirm that these three hosts are related to WyrmSpy we made a simple request to “control” the endpoint a saw\r\nthe same results:\r\nIn the code of WyrmSpy we can see that it is expecting a response to its request containing the field “suc”:\r\nSo, all three hosts were active C2 of WyrmSpy, or as it was named by attackers AndroidControl or androidRat.\r\nSince the panel was based in Django which was in debug mode, it disclosed some internal information such as an\r\ninternal folder where the whole frontend and backend files were stored in the server as well as another IP address\r\n47.115.7[.]112:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 15 of 24\n\nLightSpy panel\r\nOne of the C2 served 53601 port, the service contained Admin panel:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 16 of 24\n\nThe panel was based in VUEJS and under the hood we have not found any notable artefacts except the structure of the\r\npanel. The functionality of VUEJS nodes remained unclear.\r\nVictimology\r\nIt turned out that many LightSpy C2 servers shared the same certificate to encrypt the communication between C2\r\nand the implant. The certificate with SHA-256 fingerprint\r\nc0d4517e0727e94887d3b8a2c6c69938930995a8bcf37c9dafbd3a86b042417c was used not only on C2 hosts but also\r\non one another host which had a service with html title \"Telegram\". We found another server with the same favicon\r\nMD5 hash and HTML title. The server had several opened ports and one of them 92 contained PII data that, as we\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 17 of 24\n\nsuppose, related to LightSpy exfiltrated information.\r\nThe table below contains the sender number, receiver number, sim serial number, message text, and the date. As we\r\nalready know the information of such a type could be exfiltrated by LightSpy. We can guess that the table represents\r\nthe testing numbers of LightSpy developers or victims’ phone numbers. The table consists of 13 unique phone\r\nnumbers, we assume that it is too much for testing. All 13 phone numbers belong to Chinese cell phone operators.\r\nAttribution \r\nThe attribution made by Lookout using one of the control servers of WyrmSpy was uncompromising, and we do not\r\nquestion it. However, we would like to put the story which delivered by Lookout under the same umbrella as\r\nLightSpy, which was reported by TrendMicro and Kaspersky. \r\nThere were at least five clues that confirmed that both DragonEgg (according to Lookout classification) and LightSpy\r\n(according to TrendMicro classifications) came from the same developers. \r\nFirst Clue: unique ID\r\nThe first clue that attracted our attention was the peculiar number contained in the C2 path where the DragonEgg\r\npayloads and plugins were hosted:\r\nhttp://103.43.17.53:52202/963852741/mmfile/ads/\r\nThe same number was used for distributing the exploit landing page for LightSpy:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 18 of 24\n\nSource:\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nThe same number was inside the LightSpy file payload.dylib ( MD5 hash 4fe3ca4a2526088721c5bdf96ae636f4), it\r\nwas located inside plugins URLs:\r\nhttp://45.83.237.13:8088/963852741/hh1212/browser\r\nSecond Clue: word light\r\nBoth DragonEgg and iOS LightSpy contain this word inside the code \r\nDragonEgg:\r\nLightSpy iOS:\r\nThird clue: configuration\r\nBoth Android and iOS versions share the same configuration pattern: three parameters divided by vertical line |, first\r\nargument starting with the letter “S”:\r\niOS LightSpy:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 19 of 24\n\nAndroid LightSpy:\r\nT1|http://103.43.17.53:52202/963852741/mmfile/ads/|103.43.17.53:51200||S13|377|423\r\nFourth clue: runtime structure and plugins\r\nBoth Android and iOS LightSpy share the same runtime structure: the core with dynamically updatable modules, even\r\nif some module name sounds the same, we marked the same-sounding plugins with bold text.\r\nAndroid Plugin set iOS Plugin set\r\nbaseinfo baseinfoaaa.dylib\r\nfilemanager FileManage\r\nqq ios_qq\r\ntelegram ios_telegram\r\nwechat ios_wechat\r\nshell ShellCommandaaa\r\nsoftlist SoftInfoaaa\r\nwifi WifiList\r\nlocationmodule locationaaa.dylib\r\nlocationBaidu  \r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 20 of 24\n\nsoundrecord EnvironmentalRecording\r\nbill light\r\ncameramodule Screenaaa\r\nchatfile launchctl\r\nirc_loader\r\nircbin.plist\r\nKeyChain\r\nbrowser\r\nFifth clue: C2 communication \r\nBoth Android and iOS LightSpy send JSON data to the server; this JSON contains the command ID and the execution\r\nresult:\r\nAndroid LightSpy:\r\niOS LightSpy:\r\nThe API endpoints look also the same.\r\nFor example, both Android LightSpy and iOS LightSpy exfiltrate the list of Wi-Fi networks that were nearby to the\r\nsame backend API endpoints:\r\niOS LightSpy:\r\nAndroid LightSpy:\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 21 of 24\n\nConclusion\r\nThe way the threat actor group distributed the initial malicious stage inside popular messenger was a clever trick. The\r\nwere several benefits of that: the implant inherited all the access permissions that the carrier application had. In the\r\ncase of messenger, there were a lot of private permissions such as camera and storage access. The implant may remain\r\nunnoticed for a long time since if the victim loaded the infected messenger from a third-party store it probably may\r\nnot be updatable from an original trusted source such as Google Play. The LightSpy may access internal private\r\ninformation from messenger including communications archive, contacts list, and stored files which is extremely\r\nimportant in case superuser privileges are unavailable on the device. We assume that such a technique when\r\nmessengers are carriers of malicious code is extremely dangerous as well as hard detectable.  \r\nThe threat actor group showed a deep knowledge of Android OS internals as sound recording native API are things\r\nthat not every Android developer faces during his duties, but only in case he is involved in operating system\r\noptimisation for usage on particular hardware. \r\nWe suppose that the threat actor group remains active since during our investigation we noticed that new servers\r\nappeared in the wild so we are warning that somebody could be under attack right now. We highly recommend\r\navoiding installation of the software from untrusted sources that came from a spam message even from a trusted\r\nsender (as sending messages was one of the features of the LightSpy plugin). \r\nAppendix\r\nIndicators of compromise\r\nControl servers:\r\nIPs\r\n103.27.108[.]207\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 22 of 24\n\n46.17.43[.]74\r\nFile hashes:\r\nSecond stage payload (smalmload.jar)\r\nSHA256\r\n407abddf78d0b802dd0b8e733aee3eb2a51f7ae116ae9428d554313f12108a4c\r\nbd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99\r\nThe Core\r\nSHA256 Version\r\n68252b005bbd70e30f3bb4ca816ed09b87778b5ba1207de0abe41c24ce644541 6.5.24\r\n5f93a19988cd87775ad0822a35da98d1abcc36142fd63f140d488b30045bdc00 6.5.24\r\nbdcc5fc529e12ecb465088b0a975bd3a97c29791b4e55ee3023fa4f6db1669dc 6.5.25\r\n9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd 6.2.1\r\na01896bf0c39189bdb24f64a50a9c608039a50b068a41ebf2d49868cc709cdd3 6.5.19\r\n77f0fc4271b1b9a42cd6949d3a6060d912b6b53266e9af96581a2e78d7beb87b 6.2.0\r\nd640ad3e0a224536e58d771fe907a37be1a90ad26bf0dc77d7df86d7a6f7ca0e 6.2.1\r\n3849adc161d699edaca161d5b6335dfb7e5005056679907618d5e74b9f78792f 6.2.6\r\n2282c6caef2dd5accc1166615684ef2345cf7615fe27bea97944445ac48d5ce4 5.2.1\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 23 of 24\n\nThe Plugins \r\nPlugin name SHA256\r\nsoftlist 7d17cdc012f3c2067330fb200811a7a300359c2ad89cdcf1092491fbf5a5a112\r\nbaseinfo cc6a95d3e01312ca57304dc8cd966d461ef3195aab30c325bee8e5b39b78ae89\r\nbill c6ccd599c6122b894839e12d080062de0fa59c4cd854b255e088d22e11433ef6\r\ncameramodule bace120bf24d8c6cfbb2c8bfeed1365112297740e2a71a02ea2877f5ffc6b325\r\nchatfile 7d8a08af719f87425d1643d59979d4a3ef86a5fc81d1f06cfa2fd8c18aeb766b\r\nfilemanager e5bdeedac2c5a3e53c1fdc07d652c5d7c9b346bcf86fc7184c88603ff2180546\r\nlocationmodule bf338e548c26f3001f8ad2739e2978586f757777f902e5c4ab471467fd6d1c04\r\nlocationBaidu 177e52c37a4ff83cd2e5a24ff87870b3e82911436a33290135f49356b8ee0eb1\r\nqq f32fa0db00388ce4fed4e829b17e0b06ae63dc0d0fac3f457b0f4915608ac3b5\r\nshell e1152fe2c3f4573f9b27ca6da4c72ee84029b437747ef3091faa5a4a4b9296be\r\nsoundrecord c0c7b902a30e5a3a788f3ba85217250735aaaf125a152a32ee603469e2dfb39e\r\ntelegram 71d676480ec51c7e09d9c0f2accb1bdce34e16e929625c2c8a0483b9629a1486\r\nwechat bcb31d308ba9d6a8dbaf8b538cee4085d3ef37c5cb19bf7e7bed3728cb132ec1\r\nwifi 446506fa7f7dc66568af4ab03e273ff25ee1dc59d0440086c1075d030fe72b11\r\nSource: https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nhttps://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack" ], "report_names": [ "lightspy-mapt-mobile-payment-system-attack" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434286, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f63f6509fe4d203b9b13892ba5c1eeb527241f57.pdf", "text": "https://archive.orkl.eu/f63f6509fe4d203b9b13892ba5c1eeb527241f57.txt", "img": "https://archive.orkl.eu/f63f6509fe4d203b9b13892ba5c1eeb527241f57.jpg" } }