LightSpy Expands Command List to Include Social Media Platforms

First publicly reported in 2020, LightSpy is a modular surveillance framework designed for data collection and exfiltration. Initially observed targeting mobile devices, further analysis confirmed its ability to compromise Windows, macOS, Linux, and routers. LightSpy has been deployed in targeted attacks using watering hole techniques and exploit-based delivery, with its infrastructure frequently shifting to evade detection.

Findings

• Targeting of Facebook and Instagram application database files for data extraction.

• LightSpy deployment date (2021-12-31) is linked to a possibly unreported core version.

• Windows-specific plugins designed for system surveillance and data collection.

• Additional endpoints beyond the admin panel, including a likely testing route that briefly exposes authenticated session behavior.

Tracking LightSpy Infrastructure (Pt. 2)

In June of last year, we published research on tracking LightSpy servers via their TLS certificates and integrated a detection query into Hunt.io to automate identification. Since then, we have continued monitoring this infrastructure, with Hunt.io currently detecting eight active IPs, some of which were previously detailed in BlackBerry and Volexity's research on the DeepData variant of LightSpy.

In October, we posted on X/Twitter about two LightSpy servers---43.248.8[.]108 and 149.104.18[.]251---briefly sharing SSH keys with another detected C2, 43.248.8[.]76, as well as an additional IP, 149.104.18[.]80.

Among these, 149.104.18[.]80 is the most recent IP to appear in our scans as LightSpy and its command list modifications and infrastructure details will be the focus of this analysis.

Command List Expansion: What's Different?

LightSpy has been previously documented targeting messaging applications such as Telegram, QQ, WeChat, WhatsApp, and Line across multiple operating systems. ThreatFabric's reporting highlighted the framework's ability to exfiltrate payment data from WeChat, delete contacts, and clear messaging history, among other functions.

The servers analyzed in this research share similarities with prior malicious infrastructure but introduce notable differences in the command list. As previously observed, the cmd_list endpoint is at /ujmfanncy76211/front_api. Another endpoint, command_list, also exists but requires authentication, preventing direct analysis.

A comparison of command lists between the previously reported 45.125.34[.]126:49000 and the recently observed 149.104.18[.]80:10000 reveals a significant expansion:

• Previous reported C2: 55 supported commands.

• Recently observed C2: Over 100 commands spanning Android, iOS, Windows, macOS, routers, and Linux.

The new command list shifts focus from direct data collection to broader operational control, including transmission management ("传输控制") and plugin version tracking ("上传插件版本详细信息"). These additions suggest a more flexible and adaptable framework, allowing LightSpy operators to manage deployments more efficiently across multiple platforms.

Among the newly introduced Android commands are:

• 获取Facebook数据库文件 ("Get Facebook Database Files")

  • Command ID: 83001

• 获取Instagram数据库文件 ("Get Instagram Database Files")

  • Command ID: 83002

This is the first reference we are aware of Facebook and Instagram database targeting within LightSpy's command structure. Additionally, the list references "Enigma," which may correspond to the secure messaging platform of the same name.

The shift from targeting messaging applications to Facebook and Instagram expands LightSpy's ability to collect private messages, contact lists, and account metadata from widely used social platforms. Extracting these database files could provide attackers with stored conversations, user connections, and potentially session-related data, increasing surveillance capabilities and opportunities for further exploitation.

LightSpy Core, iOS & Windows Plugins

While we were unable to recover any first-stage implants for LightSpy, we examined the server for files of interest that were accessible for download. The server 149.104.18[.]80, hosted on Cloudie Limited in Hong Kong, was observed with open ports 80, 443, 10000, 30000, and 40002.

LightSpy's configurations frequently use /963852741 as a recurring endpoint pattern. A GET request to http[:]//149.104.18[.]80:30000/963852741/ios/version.json returned metadata on LightSpy's core, including its deployment date, file name, and MD5 hash. The date listed was 2020-12-21, reportedly associated with version 7.7.1.

Querying the same endpoint on port 40002 returned a deployment date of 2021-12-31, with the MD5 hash 81d2bd4781e3753b508ff6d966dbf160. To our knowledge, this date/version has not been publicly reported.

The hashes for both light.framework.zip files can be found at the end of this post.

iOS Plugins

Alongside version.json, the server also hosts manifest.json, which contains version numbers, class paths, MD5 hashes for integrity verification, file names, and download URLs. The response listed 17 different plugins, all matching the versions and capabilities described in ThreatFabric's most recent analysis. Notably, the operator removed plugins associated with destructive actions on the victim host.

The URL field within the response referenced an additional IP, 103.238.227[.]138, serving plugins at the same port and path. This server, also hosted on Cloudie Limited, had ports 22 and 7000 open. A single domain, hk.cdn[.]cat resolves to this IP, though we found no indication that it is associated with LightSpy activity.

Windows Plugins

In addition to the iOS plugin page, we identified a separate page for Windows plugins. No references to Linux, Android, or macOS plugins were found on this server, suggesting that iOS and Windows were the primary targets for this campaign.

The Windows JSON file followed the same structure as its iOS counterpart. There are 15 plugins with DLL files targeting x86 and x64 architectures. The observed version numbers were either 0.0.0.0 or 0.0.0.2, indicating the files were recent or the developer opted not to track version changes.

Below is a list of the Windows plugins, their version numbers, and the affected platforms:

The DLL files share one of the following PDB paths, indicating the directory structure used during development:

• W:\yk\Bigfoot\bin\*.pdb

• W:\yk\Darwin\Bin\*.pdb

The Windows plugins indicate a focus on keylogging ("KeyLogLib"), audio recording ("audio"), video capture ("video"), and USB interaction ("usb"), typical for surveillanceware. "Terminal*" DLLs suggest potential remote command execution or user activity monitoring, while "Cap" plugins are related to screenshot or screen recording capabilities.

Admin Panel/Infrastructure

The two other IPs associated with this activity, 43.248.8[.]108 and 149.104.18[.]251, host admin panels on ports 10000 or 10002. The login page, built on the Vue framework, is titled "Console Login" and is located at /ujmfanncy76211/login.

Further investigation revealed multiple endpoints under /ujmfanncy76211, each returning different behaviors:

Due to a misconfiguration in the server, the /third_login/:username endpoint provides a brief glimpse into the inner workings of the framework as an authenticated user. When loaded, the below page is visible and hosted at /phone/phoneinfo, of which we were able to capture a screenshot.

The interface, named Console v3.5.0, serves as a remote management panel for compromised mobile devices. Upon accessing the page, a "Login Successful" message is displayed, granting the operator access to device controls. The top menu options include:

• 控制台 → Console

• 产生文件 → Generate Files

• 日志 → Logs

The main content window prompts the user to "Please select a device from the group," while the side panel provides access to terminal logs and additional device data.

The presence of admin panel endpoints such as /third_login/:username and /remote_csm provides an opportunity to track LightSpy infrastructure through distinctive authentication requests and operator activity. Analyzing server responses, panel access patterns, and command execution behavior can offer further insight into the malware's operational framework.

Conclusion

LightSpy's infrastructure reveals previously unreported components and administrative functionality, though it remains unclear whether these represent new developments or older versions not publicly documented. Command set modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and surveillance approach across multiple platforms.

The exposure of admin panel authentication endpoints provides insight into how operators manage compromised systems and suggests that aspects of LightSpy's infrastructure may be monitored or tracked through behavioral analysis of authentication flows. Understanding how these endpoints function helps profile operational patterns and uncover related infrastructure. As LightSpy's operators adapt, we will do the same and continue refining our tracking methods to identify new C2 servers as they appear.

To mitigate risks, defenders/users should:

• Restrict app permissions to prevent unnecessary access to sensitive data. On Android, use Privacy Dashboard to review and revoke permissions, and on iOS, enable App Privacy Reports to monitor background data access.

• Enable advanced device security features that limit the exploitability of devices. iOS users can turn on Lockdown Mode, which restricts attack surfaces, while Android users can enable Enhanced Google Play Protect and exploit protection settings to detect and block malicious activity.

• Examine historical system logs and forensic artifacts to determine whether the 2021-12-31 core version or related LightSpy components were present in previously undetected infections.

LightSpy Network Observables and Indicators of Compromise (IOCs)

LightSpy Host Observables and Indicators of Compromise (IOCs)

PDB Paths

• W:\yk\Bigfoot\bin\filename.pdb

• W:\yk\Darwin\Bin\filename.pdb