The LightSpy advanced persistent threat (APT) group has significantly upgraded its surveillance capabilities with a 100+ command framework targeting Android, iOS, Windows, macOS, and Linux systems, according to new infrastructure analysis.
This modular malware now employs refined data exfiltration techniques against social media platforms and expanded device control mechanisms, marking a strategic shift toward omnidirectional cyberespionage.
Evolution of LightSpy’s Command Infrastructure
According to Hunt.io Report, Threat Hunting Platform, the latest command-and-control (C2) server at 149.104.18[.]80:10000 reveals a 182% increase in supported operations compared to the previously documented 45.125.34[.]126:49000 server, which hosted 55 commands.
The updated cmd_list endpoint (/ujmfanncy76211/front_api) introduces granular control mechanisms like 传输控制 (“transmission control”) and 上传插件版本详细信息 (“upload plugin version details”), enabling operators to manage compromised devices through version-aware plugin deployments.
Notably, the framework now targets Facebook and Instagram database files through dedicated Android commands:
- Command ID 83001: 获取Facebook数据库文件 (“Get Facebook Database Files”)
- Command ID 83002: 获取Instagram数据库文件 (“Get Instagram Database Files”)
This represents LightSpy’s first known integration of social media database extraction, potentially exposing private messages, contact lists, and authentication tokens stored in SQLite databases.
Windows Surveillance Plugins and System Integration
Analysis of the 149.104.18[.]80 server’s port 40002 endpoint uncovered 15 Windows-specific DLL plugins designed for x86/x64 architectures. These components exhibit surveillance capabilities through:
- KeyLogLib32m.dll/KeyLogLib64m.dll: Kernel-level keystroke logging
- audiox64m.dll/audiom.dll: System audio capture via Windows Audio Session API (WASAPI)
- video64m.dll/videom.dll: Desktop duplication API-based screen recording
The plugins follow a development pattern evidenced by PDB paths like W:ykBigfootbin*.pdb, suggesting compartmentalized project structures.
Version numbering (0.0.0.0-0.0.0.2) indicates active development cycles, with “Terminal” plugins likely hooking into Windows Console API for command execution monitoring.
LightSpy’s infrastructure employs multi-port C2 channels across:
- Port 30000: iOS core version management (light.framework.zip)
- Port 40002: Windows plugin distribution
- Port 10000: Admin panel authentication (/ujmfanncy76211/login)
The framework’s Vue.js-based admin interface (Console v3.5.0) was briefly exposed through a misconfigured /third_login/:username endpoint, revealing device grouping capabilities and real-time terminal log access.
Forensic artifacts from the 2021-12-31 core version (MD5:81d2bd4781e3753b508ff6d966dbf160) show improved session persistence mechanisms compared to the 2020-12-21 build.
Mitigation Strategies for Enterprise Defense
Organizations should implement:
- iOS Lockdown Mode: Restricts attack surfaces by disabling Just-in-Time (JIT) JavaScript compilation
- Android Enhanced Play Protect: Scans sideloaded APKs for LightSpy’s signature WASM-based payloads
- Windows Memory Integrity Checks: Blocks unsigned drivers like KeyLogLib64m.dll through Hypervisor-protected Code Integrity (HVCI)
Network defenders can detect LightSpy’s TLS fingerprint (JA3:6734f37431670b3ab4292b8f60f29984) and monitor for anomalous requests to /963852741/ios/version.json endpoints.
The framework’s expanded command set enables threat actors to:
- Chain database extraction (Commands 83001-83002) with MITM attacks using rogue CA certificates
- Correlate social media metadata with geolocation data from Capx64m.dll’s screenshot capabilities
- Establish persistence through USB device emulation via usbx64m.dll
This development positions LightSpy as a polymorphic threat capable of bridging OS-specific vulnerabilities into cross-platform intrusion campaigns.
Given their role in plugin distribution and C2 operations, continued monitoring of Cloudie Limited-hosted IPs (103.238.227[.]138, 43.248.8[.]108) is critical.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here