Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users

Apr 15, 2024NewsroomSpyware / Mobile Security

LightSpy iOS Spyware

Cybersecurity researchers have discovered a “revamped” cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called. LightSpy.

“The latest iteration of LightSpy, called ‘F_Warehouse,’ has a modular framework with multiple surveillance features,” the BlackBerry Threat Research and Intelligence Team SAYS in a report published last week.

There is evidence to suggest that the campaign may have been targeted at India based on VirusTotal submissions from within its borders.

First documented in 2020 by Trend Micro and Kaspersky, LightSpy targets an advanced iOS backdoor distributed through watering hole attacks via compromised news sites.


Subsequent analysis from ThreatFabric in October 2023 discovered infrastructure and functionality overlap between the malware and an Android spyware known as DragonEgg, attributed to the Chinese state group APT41 (aka Winnti).

The initial intrusion vector is currently unknown, although it is suspected through news websites that have been breached and are known to be visited by the targets frequently.

The starting point is the first-stage loader that acts as a launchpad for the core LightSpy backdoor and the various plugins that are obtained from a remote server to obtain data collection functions.

LightSpy iOS Spyware

LightSpy is both fully featured and modular, allowing threat actors to harvest sensitive information, including contacts, SMS messages, precise location data and audio recordings of calls. VoIP.

The latest version discovered by the Canadian cybersecurity firm further expands its capabilities to steal files as well as data from popular apps such as Telegram, QQ, and WeChat, iCloud Keychain data, and web browsers. history from Safari and Google Chrome.

The complex spy framework also exhibits capabilities to gather a list of connected Wi-Fi networks, details about installed apps, take pictures using the device’s camera, record audio, and implement shell commands received from the server, potentially enabling it to hijack control of infected devices.

“LightSpy uses certificate pinning to prevent detection and interception of communications with its command-and-control (C2) server,” Blackberry said. “Thus, if the victim is on a network where the traffic is being inspected, no connection to the C2 server will be established.”


Further examination of the implant’s source code suggests the involvement of native Chinese speakers, raising the possibility of state-sponsored activity. In addition, LightSpy communicates with a server located at 103.27 (.) 109 (.) 217, which also hosts an administrator panel that displays an error message in Chinese when entering incorrect login credentials.

The development comes as Apple says it has sent threat notifications to users in 92 countries, including India, that may have targeted them for mercenary spyware attacks.

“The return of LightSpy, now equipped with the versatile ‘F_Warehouse’ framework, heralds an evolution in mobile espionage threats,” BlackBerry said.

“The malware’s expanded capabilities, including extensive data exfiltration, audio surveillance, and potential full device control, pose a serious risk to targeted individuals and organizations in Southern Asia.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment