Monday, May 5, 2025
Homecyber securityLightSpy iOS Malware Enhanced with 28 New Destructive Plugins

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

Published on

SIEM as a Service

Follow Us on Google News

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices. The malware’s core binaries were even signed with the same certificate used in jailbreak kits, indicating deep integration.

The C2 servers, active until October 26, 2022, hosted outdated malware, possibly for demonstration purposes but not as MaaS.

The iOS and macOS versions, while sharing core functions, differed in post-exploitation and privilege escalation techniques due to platform variations.

- Advertisement - Google News
attack chain

It exploited the CVE-2020-9802 vulnerability to gain access to the target device, which was fixed in iOS 13.5, but the threat actor bypassed CVE-2020-9870 and CVE-2020-9910, which were patched in iOS 13.6.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

By deploying a Mach-O binary executable, the exploit took advantage of a vulnerability known as CVE-2020-3837, which ultimately led to a jailbreak.

The jailbroken device downloaded and executed the FrameworkLoader, which further downloaded and executed the LightSpy Core and plugins, while the Core established communication with the C2 server for further malicious activities.

GitHub jailbreak kit project

LightSpy iOS Implant is a multi-part archive containing a core library (LightSpy Core) and multiple plugins, which relies on jailbreak functionalities and communicates with the C2 server.

The network communication, database access, and archive extraction are all accomplished through the utilization of a variety of libraries.

After establishing a C2 connection, LightSpy Core parses configuration and distributes tasks to plugins, where the Core itself can play sounds and utilizes a network stack to communicate with plugins.

It offers various plugins for data exfiltration (contacts, messages, app data), location tracking, screen capturing, and even destructive actions like disabling boot up or deleting files.

signcert.p12 thumbprint

The threat actors utilized self-signed certificates to establish infrastructure on IP address 103.27.109.217.

Open-source intelligence revealed multiple servers sharing this certificate. By sending GET requests to specific IP addresses and ports, researchers identified servers connected to the iOS campaign.

Threat Fabric’s investigation uncovered five key IP addresses associated with the campaign, two of which hosted administration panels.

only 222.219.183[.]84 had a working panel

While analysis based on source code file paths within the downloaded binaries suggests at least three developers worked on the LightSpy iOS project: two focused on plugin development and a lead developer responsible for the Core and privilege escalation components.

Xcode automatically inserts user and organization names into header files, which helped identify these developers.

File path variations within the same user account suggest possible use of multiple machines by the same developer.

The LightSpy iOS case reveals a sophisticated threat actor leveraging zero-day and one-day exploits to compromise devices, particularly those hindered by regional restrictions.

The attackers employ destructive capabilities to erase traces and demonstrate their tool’s potential, while the discovery of a location plugin tied to a Chinese-specific system strongly suggests Chinese origins.

To mitigate risks, users are advised to keep devices updated, reboot regularly to disrupt persistent attacks, and exercise caution in regions with restricted software updates.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...