S1185: LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
Analyst context for executives and security teams
LightSpy matters because it represents modular spyware across mobile and desktop platforms that can collect highly sensitive user data such as VoIP call recordings, SMS messages, credential stores, screenshots, audio, application data, browser information, and network details, then exfiltrate data over command-and-control communications. For leaders, the practical issue is not just malware blocking; it is whether endpoint, mobile, network, and incident response programs can prove visibility into personal-device-like data loss paths and cross-platform compromise involving Android, iOS, macOS, and Windows assets.
Executive priority
Prioritize LightSpy as a readiness test for high-risk users, mobile fleets, executive devices, and environments where mobile devices bridge into enterprise networks or VPNs. The ATT&CK relationships show discovery, collection, obfuscation, persistence-related mobile behavior, ingress tool transfer, shared module execution, web-protocol C2, and exfiltration over C2. Executives should ask whether the organization can collect defensible evidence from mobile and macOS/Windows endpoints, identify sensitive communications exposure, and respond when malware is modular, obfuscated, and designed to blend C2 into ordinary web traffic.
Technical view
SOC and IR teams should validate coverage around LightSpy’s documented platforms and related techniques: Android, iOS, macOS, and Windows. Key validation areas include modular payload loading such as .dylib or .apk components, encrypted or encoded files, binary padding, shared module execution, process/system/file/browser/software discovery, network configuration and service discovery, screenshot/audio capture, access to stored application data, and exfiltration over web-based C2 channels. ATT&CK provides no official detection text for S1185, so detections should be built from the related technique behaviors rather than from the software entry alone.
Likely telemetry
- Mobile device management and mobile threat defense events for Android and iOS application installation, permissions, jailbreak/root indicators, boot or logon initialization changes, and suspicious access to stored application data
- Endpoint telemetry from macOS and Windows for process execution, shared module or dynamic library loading, file creation, encoded/encrypted artifacts, and unusual discovery commands or API activity
- Network telemetry for outbound HTTP/S or other web-protocol communications, repeated C2-like beaconing, unusual destinations, and data transfer over the same channel used for command-and-control
- DNS, proxy, firewall, and VPN logs tying mobile or endpoint activity to external infrastructure and internal network access
- File and application inventory data showing unexpected .apk, .dylib, or modular component deployment
Detection direction
- Because MITRE supplies no official detection guidance for LightSpy, map detections to the related ATT&CK techniques and test them against local Android, iOS, macOS, and Windows telemetry availability.
- Tune for behavior chains rather than single indicators: obfuscated or padded files followed by module loading, discovery activity, sensitive data access, and outbound web-protocol communications is more meaningful than any one event alone.
- Validate mobile blind spots explicitly. iOS and Android telemetry may be limited without MDM/MTD integration, device compliance data, root or jailbreak visibility, and application permission/change history.
- For web-protocol C2 and exfiltration over C2, focus on anomalous outbound patterns and host-to-destination relationships while accounting for high false-positive potential from normal HTTPS traffic.
- For discovery techniques, baseline administrative and security-tool activity so process, file, browser, software, network configuration, Wi-Fi, and service discovery alerts do not drown analysts in expected management operations.
Mitigation priorities
- Start with asset and telemetry coverage: confirm which Android, iOS, macOS, and Windows devices are managed, logged, and available to IR during an investigation.
- Harden mobile and endpoint posture by enforcing application control where feasible, restricting untrusted app installation, monitoring for jailbreak/root conditions, and maintaining OS/application patching to reduce privilege-escalation opportunity.
- Reduce sensitive data exposure by reviewing mobile application permissions, credential storage practices, browser data handling, and access to SMS, VoIP, microphone, screen capture, and stored application data.
- Strengthen egress controls and monitoring for web-protocol C2 and exfiltration patterns, especially from executive devices, VPN-connected mobile devices, and systems with access to sensitive communications.
- Prepare IR playbooks for cross-platform spyware cases, including evidence preservation from mobile devices, endpoint triage, network containment, credential review, and privacy/legal escalation where communications data may be involved.
Analyst notes and limits
LightSpy is described by MITRE as a modular malware family first observed in 2018 that initially targeted iOS devices in Southern Asia and later expanded to Android and macOS; the supplied platform list also includes Windows. The software is related to APT41 in both enterprise and mobile ATT&CK relationship context, and it uses multiple enterprise and mobile techniques spanning obfuscation, discovery, collection, execution, persistence-related mobile behavior, C2, ingress transfer, and exfiltration.
The supplied ATT&CK object has no official detection section and no object-level tactics specified. The summary relies on the official description, external reference metadata, platform list, and supplied relationships only. Local conclusions about exposure, active compromise, attribution, and detection coverage require environment-specific telemetry and investigation evidence.
LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | If sent the command `16002`, LightSpy uses the `NSWorkspace runningApplications()` method to collect the process ID, path to the executable, bundle information, and the filename of the executable for all running applications.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1480 | Execution Guardrails | |
| Enterprise | T1555.001 | Keychain Sub-technique | LightSpy performs an in-memory keychain query via `SecItemCopyMatching()` then formats the retrieved data as a JSON blob for exfiltration.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | On macOS, LightSpy downloads a `.json` file from the C2 server. The `.json` file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash. LightSpy retrieves the plugins specified in the `.json` file, which are compiled `.dylib` files. These `.dylib` files provide task and platform specific functionality. LightSpy also imports open-source libraries to manage socket connections.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1113 | Screen Capture | LightSpy uses Apple's built-in AVFoundation Framework library to access the user's camera and screen. It uses the `AVCaptureStillImage` to take a picture using the user's camera and the `AVCaptureScreen` to take a screenshot or record the user's screen for a specified period of time.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | To exfiltrate data, LightSpy configures each module to send an obfuscated JSON blob to hardcoded URL endpoints or paths aligned to the module name.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | LightSpy's C2 communication is performed over WebSockets using the open source library SocketRocket with functionality such as, heartbeat, receiving commands, and updating command status.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1129 | Shared Modules | LightSpy's main executable and module `.dylib` binaries are loaded using a combination of `dlopen()` to load the library, `_objc_getClass()` to retrieve the class definition, and `_objec_msgSend()` to invoke/execute the specified method in the loaded class.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1123 | Audio Capture | LightSpy uses Apple's built-in AVFoundation Framework library to capture and manage audio recordings then transform them to JSON blobs for exfiltration.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | LightSpy encrypts the C2 configuration file using AES with a static key, while the module `.dylib` files use a rolling one-byte encoding for obfuscation.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1082 | System Information Discovery | LightSpy's second stage implant uses the `DeviceInformation` class to collect system information, including CPU usage, battery statistics, memory allocations, screen size, etc.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1217 | Browser Information Discovery | To collect data on the host's Wi-Fi connection history, LightSpy reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` file. It also utilizes Apple's `CWWiFiClient` API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | LightSpy's configuration file is appended to the end of the binary. For example, the last `0x1d0` bytes of one sample is an AES encrypted configuration file with a static key of `3e2717e8b3873b29`.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1518 | Software Discovery | If sent the command `16001`, LightSpy uses the `NSFileManger contentsOfDirectoryAtPath()` to enumerate the Applications folder to collect the bundle name, bundle identifier, and version information from each application's `info.plist` file. The results are then converted into a JSON blob for exfiltration.CitationHuntress LightSpy macOS 2024 |
| Enterprise | T1046 | Network Service Discovery | To collect data on the host's Wi-Fi connection history, LightSpy reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file`.It also utilizes Apple's CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.CitationHuntress LightSpy macOS 2024 |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 683d2a5b9f59… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MelikovBlackBerry LightSpy 2024
Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.
Open source URL -
[2]
mitre-attack S1185Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.