The LightSpy surveillance framework has significantly evolved its operational capabilities, now supporting over 100 commands to infiltrate Android, iOS, Windows, macOS, and Linux systems, and routers, according to new infrastructure analysis.
First documented in 2020, this modular malware has shifted from targeting messaging applications to focusing on social media database extraction and cross-platform surveillance, marking a dangerous escalation in its cyberespionage capabilities.
From Messaging Apps to Social Media Databases
LightSpy’s operators have expanded their command repertoire from 55 to more than 100 directives, with newly observed infrastructure at 149.104.18[.]80:10000 revealing tactical shifts.
Where previous campaigns focused on extracting data from Telegram, WeChat, and WhatsApp, the framework now explicitly targets Facebook and Instagram database files through commands 83001 and 830021.
This enables attackers to exfiltrate private messages, contact lists, and account metadata—a strategic move that capitalizes on the pervasive use of these platforms for both personal and professional communications.
The command list modifications reflect an operational emphasis on granular data control, including “传输控制” (transmission management) and “上传插件版本详细信息” (uploading plugin version details), suggesting improved coordination between compromised devices and command servers.
Analysts note this shift enables threat actors to prioritize high-value targets while maintaining persistent access across diversified environments.
Cross-Platform Surveillance Capabilities
LightSpy’s latest iteration demonstrates alarming versatility, with plugins and commands tailored for Windows, macOS, Linux, and embedded systems.
Windows-specific DLL files uncovered in recent scans reveal capabilities spanning audio recording (“audiox64m.dll”), keystroke logging (“KeyLogLib64m.dll”), USB device monitoring (“usbx64m.dll”), and screen capture (“Capx64m.dll”).
These plugins follow a developmental pattern visible in their PDB paths (W:\yk\Bigfoot\bin*.pdb), indicating an organized codebase maintained for long-term deployment1.
For macOS and Linux targets, while explicit plugins weren’t identified in the latest server snapshots, the expanded command list includes directives for router exploitation—a common pivot point to bridge into enterprise networks.
This multi-OS targeting strategy complicates defense efforts, as security teams must account for both endpoint and network infrastructure vulnerabilities.
Active LightSpy command-and-control (C2) servers continue to leverage Hong Kong-based hosting provider Cloudie Limited, with 149.104.18[.]80 operating on ports 80, 443, 10000, 30000, and 40002.
![Screenshot of login panel at 149.104.18[.]80.](https://gbhackers.com/wp-content/uploads/2025/02/image-72-1024x484.png)
The use of non-standard ports (e.g., 30000 for iOS plugin version checks) and recurring endpoint patterns like /963852741 suggests automated deployment scripts designed to bypass simple port-based detection rules.
Researchers identified temporal discrepancies in core module deployment dates across ports, with version.json files on port 30000 referencing a 2020-12-21 build date, while port 40002 indicated a previously undocumented 2021-12-31 version (MD5:81d2bd4781e3753b508ff6d966dbf160).
These inconsistencies point to either version fragmentation across campaigns or deliberate attempts to mislead forensic investigators.
Administrative Panel Exposure
A misconfigured admin panel at /third_login/:username briefly exposed LightSpy’s operational dashboard, branded as “Console v3.5.0”1. The interface provides real-time device management, file generation controls, and access to terminal logs—capabilities aligned with state-sponsored surveillance toolkits.
Authentication endpoints like /thd/login and /remote_csm reveal layered access controls, potentially allowing different operator roles to manage compromised devices.
Notably, the panel’s “Generate Files” function may correlate with LightSpy’s plugin distribution system, which hosts malicious DLLs and framework components on auxiliary servers like 103.238.227[.]1381.
This server, linked to the domain hk.cdn[.]cat, underscores the attackers’ reliance on benign-looking infrastructure to obscure malicious payload deliveries.
Mitigation Strategies and Defensive Countermeasures
Forensic Detection and Historical Analysis
Organizations are advised to audit historical system logs for indicators such as:
- MD5 hashes 81d2bd4781e3753b508ff6d966dbf160 (2021-12-31 core version)
- Filesystem entries referencing W:\yk\Bigfoot\bin\ development paths
- Unauthorized access to Facebook/Instagram SQLite databases
Network traffic patterns showing repeated GET requests to /ujmfanncy76211/front_api or POSTs to /third_login warrant immediate incident response escalation.
LightSpy’s transformation into a cross-platform espionage toolkit highlights the growing sophistication of cyberespionage campaigns.
By targeting social media databases and refining its plugin architecture, the framework poses significant risks to both individual privacy and organizational security.
Defenders must adopt proactive hunting strategies focused on behavioral indicators rather than static IOCs, as LightSpy’s operators continue to adapt their infrastructure and targeting methodologies.
With its expanded command set and multi-OS reach, this malware family represents a persistent threat that demands coordinated detection efforts across all major platforms.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
