LightSpy¶
LightSpy is a modular surveillance framework targeting iOS, Android, macOS, Windows, Linux, and routers, with a persistent focus on the Asia-Pacific region. First documented in early 2020 during watering hole attacks against Hong Kong users, the framework is attributed with high confidence to Chinese state-sponsored operations overlapping with APT41. On Android, LightSpy operates through a plugin-based architecture where a lightweight Core orchestrator downloads and manages 14+ surveillance plugins covering location tracking, messaging app data extraction, payment system monitoring, ambient audio recording, and file exfiltration. ThreatFabric linked the Android variant (previously tracked as DragonEgg) to the same infrastructure as the iOS implant, unifying what had been treated as separate campaigns. As of early 2025, Hunt.io documented over 100 commands across all platforms, with new capabilities targeting Facebook and Instagram data on Android.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2020 (watering hole discovery) |
| Status | Active, continuously expanding |
| Type | State-sponsored surveillance framework |
| Attribution | Chinese state-sponsored, APT41 overlap (Lookout, BlackBerry); earlier research linked to Spring Dragon/Lotus Blossom |
| Aliases | DragonEgg (Android variant, per Lookout), LightSpy mAPT |
| Platforms | Android, iOS, macOS, Windows, Linux, routers |
Origin and Lineage¶
Kaspersky and Trend Micro jointly disclosed LightSpy in March 2020, documenting a watering hole attack that delivered a full iOS exploit chain to visitors of a fake news site mimicking Hong Kong's Apple Daily newspaper. The campaign began on January 10, 2020 and escalated on February 18 with iframe-based redirects serving both the exploit payload and the legitimate news site to avoid suspicion.
In July 2023, Lookout published research on two Android surveillance tools they named WyrmSpy and DragonEgg, attributing both to APT41. ThreatFabric subsequently established that DragonEgg's Core module was the Android component of the LightSpy framework, sharing infrastructure and C2 patterns with the iOS implant documented in 2020. WyrmSpy (also called AndroidControl) shared the same infrastructure and may represent a successor variant.
BlackBerry's November 2024 analysis documented the DeepData framework deployed alongside LightSpy in targeted espionage campaigns across Southern Asia, reinforcing the APT41 attribution and revealing expanded operational scope.
Distribution¶
| Vector | Details |
|---|---|
| Watering hole attacks | Fake news sites mimicking legitimate media (Apple Daily clone targeting Hong Kong, 2020) |
| Safari/WebKit exploit chain | CVE-2020-9802 (WebKit RCE), CVE-2020-3837 (privilege escalation) for iOS delivery |
| Trojanized applications | Android delivery via fake utility apps and messaging apps distributed outside official stores |
| iframe redirect chains | Invisible iframes redirecting to exploit servers while loading legitimate content |
The iOS watering hole campaign used a multi-stage exploit chain: visitors to the lure site were redirected through an invisible iframe to an exploit server that triggered CVE-2020-9802 (a WebKit vulnerability fixed in iOS 13.5) for initial code execution, with CVE-2020-9870 and CVE-2020-9910 (fixed in iOS 13.6) used as mitigation bypasses, and CVE-2020-3837 for privilege escalation to install the implant.
Android distribution relies on trojanized applications rather than browser exploits. Targets are directed to download apps that appear legitimate but contain the LightSpy Core loader, which then fetches plugins from C2.
Capabilities¶
Android Plugin Architecture¶
LightSpy's Android variant operates through a Core orchestrator that manages surveillance plugins. ThreatFabric obtained the Core and 14 plugins from 20 active C2 servers. The Core creates a SQLite database named light2.db to store configuration, commands, and plugin data. Plugins are downloaded via WebSocket, while HTTPS handles data exfiltration.
| Plugin | Function |
|---|---|
locationmodule |
GPS tracking with precision down to building floor number |
locationBaidu |
Location tracking via Baidu services (China-focused) |
soundrecord |
Ambient audio recording and WeChat VOIP call interception |
cameramodule |
Silent photo capture from device cameras |
wechat |
WeChat message history, contacts, and group data extraction |
bill |
WeChat Pay transaction and payment history collection |
qq |
QQ messenger data extraction |
telegram |
Telegram message and contact exfiltration |
softchat / softlist |
Installed application enumeration and messaging app data |
chatfile |
File extraction from messaging app storage directories |
filemanager |
General file system browsing and exfiltration |
browser |
Browser history, bookmarks, and saved data |
shell |
Remote shell command execution |
baseinfo |
Device fingerprinting (IMEI, model, OS version, SIM info) |
wifi |
WiFi network enumeration, connected network details, local network scanning |
Expanded Capabilities (2024-2025)¶
Hunt.io documented newer versions with expanded social media targeting:
| Capability | Details |
|---|---|
| Facebook data extraction | Database file extraction from the Facebook Android app |
| Instagram data extraction | Message and account metadata collection from Instagram |
| 100+ commands | Cross-platform command set spanning Android, iOS, macOS, Windows, Linux, and routers |
| Plugin version tracking | Centralized management of plugin updates across deployed implants |
| Transmission management | Operator control over data exfiltration scheduling and bandwidth |
iOS Capabilities¶
The iOS implant mirrors the Android plugin set with platform-specific adaptations:
| Category | Details |
|---|---|
| Messages | SMS, iMessage, email |
| Messaging apps | WeChat, QQ, Telegram, WhatsApp |
| Location | GPS with fine-grained positioning |
| Calls | Call history extraction |
| Contacts | Full address book exfiltration |
| WiFi | Network enumeration and connected AP details |
| Browser | Safari history and bookmarks |
| Keychain | iOS Keychain data extraction |
Technical Details¶
Core Architecture¶
The LightSpy Core operates as a plugin itself, responsible for orchestrating all functions in the attack chain. It exports a C2 communication function that individual plugins call to exfiltrate collected data. The Core is highly configurable through updatable operator-defined settings, allowing precise control over what data is collected and when.
On first execution, the Core:
- Creates the
light2.dbSQLite database for local state management - Registers with the C2 server, sending device fingerprint and plugin status
- Receives plugin download URLs via WebSocket
- Downloads, validates, and loads surveillance plugins
- Reports plugin versions and operational status back to the operator
C2 Infrastructure¶
Hunt.io's certificate analysis mapped LightSpy's infrastructure:
| Aspect | Details |
|---|---|
| Server locations | Primarily China and Hong Kong, with one server identified in Japan |
| Hosting providers | Topway Global Limited and ChinaNet host most certificate-bearing servers |
| Web server | Nginx 1.14.0 used consistently across LightSpy and AndroidControl infrastructure |
| TLS certificates | High-port certificates (50000+ range) used as fingerprinting markers |
| Communication | WebSocket for plugin delivery and commands, HTTPS for data exfiltration and logs |
The shared infrastructure between LightSpy and WyrmSpy/AndroidControl, including identical Nginx configurations and overlapping certificate patterns, is the primary technical basis for linking these campaigns under APT41.
Persistence and Anti-Analysis¶
| Technique | Details |
|---|---|
| Plugin-based loading | Surveillance modules downloaded post-installation reduce static analysis surface |
| SQLite state management | Local database tracks plugin status, enabling graceful recovery from interruptions |
| WebSocket C2 channel | Persistent bidirectional connection avoids polling-based detection patterns |
| Selective activation | Operators can enable or disable specific plugins per target |
Known Deployments and Targets¶
| Period | Targets | Context |
|---|---|---|
| January-March 2020 | Hong Kong residents | Watering hole mimicking Apple Daily during political unrest |
| 2020-2023 | Southeast Asian mobile users | Broader campaigns documented by Kaspersky |
| 2024 | Southern Asia, possibly India | BlackBerry documented renewed espionage campaign |
| 2024 | Southern Asia | BlackBerry documented DeepData framework deployed alongside LightSpy |
| 2025 | Cross-platform targets | Hunt.io identified expanded command set and social media targeting |
Notable Campaigns and Discoveries¶
January 2020: A watering hole site mimicking Hong Kong's Apple Daily newspaper is discovered delivering a full iOS exploit chain. Kaspersky publishes the initial technical analysis of the LightSpy iOS implant, documenting the Safari/WebKit exploit chain and modular surveillance capabilities.
March 2020: Trend Micro publishes companion research, and Kaspersky confirms ongoing watering hole campaigns targeting Southeast Asian mobile users across iOS, Android, and desktop platforms.
July 2023: Lookout attributes WyrmSpy and DragonEgg to APT41, documenting advanced Android surveillance tools. Google confirms the APT41 attribution.
October 2023: ThreatFabric publishes "LightSpy mAPT: Mobile Payment System Attack", linking DragonEgg to the LightSpy framework and documenting 14 Android plugins including the WeChat Pay bill module. This analysis unifies the Android and iOS campaigns under a single framework.
April 2024: BlackBerry publishes "LightSpy Returns", documenting a renewed espionage campaign targeting Southern Asia with updated LightSpy infrastructure.
June 2024: ThreatFabric documents the macOS variant of LightSpy, confirming cross-platform expansion beyond mobile.
October 2024: Updated iOS variant documented with expanded plugin count (from 12 to 28) and destructive capabilities added to the surveillance toolkit.
November 2024: BlackBerry documents APT41's DeepData framework deployed alongside LightSpy in targeted Southern Asian espionage operations, including capabilities to extract Fortinet VPN credentials.
February 2025: Hunt.io publishes infrastructure analysis revealing over 100 commands across all platforms, with new Facebook and Instagram data extraction modules for Android. Certificate tracking maps infrastructure primarily to China and Hong Kong hosting providers.
Related Families¶
| Family | Relationship |
|---|---|
| Pegasus | Both are sophisticated cross-platform surveillance frameworks, though Pegasus is commercial spyware sold to governments while LightSpy serves Chinese state intelligence directly. Pegasus uses zero-click exploit chains; LightSpy relies on watering holes and trojanized apps. |
| Predator | Both are state-linked surveillance platforms targeting mobile devices. Predator (Cytrox/Intellexa) is commercial; LightSpy is state-operated. Both use modular plugin architectures. |
| Hermit | Both employ modular plugin architectures where surveillance capabilities are downloaded post-installation from C2. Hermit uses ISP-assisted delivery; LightSpy uses watering holes. |
| KoSpy | Both are state-sponsored Android surveillance tools with plugin-based architectures. KoSpy serves North Korean intelligence (APT37); LightSpy serves Chinese intelligence (APT41). Both use multi-stage C2 with legitimate services for initial configuration. |