LightSpy cyberespionage campaign targets South Asian iOS users

A recent cyberespionage campaign that uses the LightSpy spyware has reemerged and targets iOS-based device users in the South Asian region. Based on reports, the operators of this cybercriminal campaign originated from China-affiliated hackers who want to execute surveillance attacks against a specific region.

Moreover, this latest iteration of LightSpy, codenamed ‘F_Warehouse,’ introduces a modular structure that enhances its spying capabilities significantly. Initial investigations imply a probable focus on India, as indicated by some of the most allegedly infected individuals coming from the country.

 

LightSpy is a spyware that initially appeared during the start of the pandemic.

 

LightSpy, initially identified in 2020, uses sophisticated tactics like watering hole attacks through compromised news websites to breach iOS devices. Recent analysis uncovered similarities between LightSpy and an Android spyware called DragonEgg, linked to the Chinese state-sponsored group APT41.

While the spyware operators’ accurate tactic of initial intrusion remains undisclosed, researchers speculate that compromised news websites visited by the targets might serve as the primary infection vector.

In addition, the malware employs a two-stage loading process, using a first-stage loader to facilitate the installation of the core LightSpy backdoor and its plugins from a remote server.

LightSpy’s functionality is expansive and alarming since it allows its operators to extract sensitive data, such as contacts, SMS messages, precise location information, and even recordings of VoIP conversations.

Furthermore, the latest version extends its reach to stealing files and information from popular apps like Telegram, QQ, and WeChat, alongside iCloud Keychain data and web browsing history.

The sophistication of this espionage framework highlights its ability to enumerate connected Wi-Fi networks, access app details, capture images through the device’s camera, record audio, and execute remote commands, potentially resulting in complete device compromise.

LightSpy uses certificate pinning to prevent communication interception with its C2 server in order to evade security detection; also, Chinese language artefacts found in the implant’s source code suggest state-sponsored involvement.

Apple’s recent threat notifications to users in 92 countries, including India, further highlight the severity of the situation. The re-emergence of LightSpy, equipped with new capabilities, signals an alarming escalation in mobile espionage threats, posing significant risks to individuals and organisations across Southern Asia.