Skip to content

LightSpy extends threat to macOS devices following iOS

  • by
  • 4 min read

Sophisticated Chinese LightSpy spyware has now expanded to target macOS users in addition to its earlier focus on Indian iOS users.

In April, BlackBerry exposed the LightSpy malware framework. This discovery was made when a file was uploaded to VirusTotal. The malware was designed for surveillance and first appeared in 2020 in Hong Kong.

The spyware can extract sensitive information like location data, record audio during VOIP calls and track Safari and Chrome browser history. Given its highly targeted nature, it targeted several high-profile personnel, such as journalists, diplomats, activists, and politicians.

“While there is a variant of LightSpy that affects Apple’s mobile devices like the iPhone, this sample notably only targets the macOS platform. There are a number of factors which support this, but the largest is that these binaries are all compiled for the x86_64 architecture, ruling out iPhones based on the ARM architecture,” the researchers noted.

The LightSpy campaign uses a complex, multi-stage process to infiltrate and compromise macOS devices. It typically begins with distributing a malware dropper, often delivered through phishing software downloads.

Upon execution, the dropper checks its unique process identification number (PID) file to ensure that the implant is not already active on the target device, preventing duplication. It then decrypts encrypted configuration data appended to its binary using AES encryption with a static key, preparing for the next phase of the attack.

Decryption logic. | Source: Huntress

Upon decrypting the configuration data, the dropper communicates with the command and control (C2) servers to retrieve supplementary malicious plugins (dylibs) designed to augment the malware’s functionalities.

These plugins are tailored to perform specific tasks such as data exfiltration, system reconnaissance, keylogging, screen capture, remote access, and other malicious actions to compromise device integrity and pilfer sensitive data.

Before downloading these plugins, the dropper solicits a manifest file (macmanifest.json) from the C2 server, which furnishes comprehensive details about the plugins and their verification hashes (MD5) for validation purposes.

After obtaining the necessary plugins, the proper verifies payload integrity by communicating with a specific URL that returns a JSON blob for verification purposes. The payloads, including the core implant and plugins, are encrypted using a rolling-type XOR encryption mechanism, decrypted by the malware’s code, and then executed to take full control of the compromised macOS device.

DeviceInformation function. | Source: Huntress

The implanted malware, loaded with core functionality and plugins, initiates communication with the C2 server over WebSockets, enabling command and control operations. It gathers system information using the DeviceInformation class, excluding iOS-specific identifiers like International Mobile Subscriber Identity (IMSI) or International Mobile Equipment Identity (IMEI) numbers.

This information-gathering phase sets the stage for subsequent malicious activities, which can range from surveillance to data theft and system manipulation.

Throughout its operation, the LightSpy malware employs evasion techniques and anti-analysis measures to avoid detection by security solutions and researchers. While past research has linked LightSpy to APT 41, researchers could not definitively attribute these recent attacks.

Researchers have urged several countermeasures, including maintaining updated security software, implementing network traffic monitoring, conducting regular security audits, and educating users about phishing and malware protection.

In the News: Concerns rise as AI-generated NSFW app ads proliferate Meta

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: