Skip to content

Hide Navigation Hide TOC

LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927)

First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as .dylib files (iOS, macOS) or .apk files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.(Citation: MelikovBlackBerry LightSpy 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Drive-By Compromise - T1456 (fd339382-bfec-4bf0-8d47-1caedc9e7e57) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 1
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Boot or Logon Initialization Scripts - T1398 (46d818a5-67fa-4585-a7fc-ecf15376c8d5) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Process Discovery - T1424 (1b51f5bc-b97a-498a-8dbd-bc6b1901bf19) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Exploitation for Client Execution - T1658 (5abfc5e6-3c56-49e7-ad72-502d01acf28b) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 1
Exploitation for Privilege Escalation - T1404 (351c0927-2fc1-4a2c-ad84-cbbee7eb8172) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Process Injection - T1631 (b7c0e45f-0206-4f75-96e7-fe7edad3aaff) Attack Pattern 1
Data Destruction - T1662 (9ef14445-6f35-4ed0-a042-5024f13a9242) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Endpoint Denial of Service - T1642 (eb6cf439-1bcb-4d10-bc68-1eed844ed7b3) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern 1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware System Network Connections Discovery - T1421 (dd818ea5-adf5-41c7-93b5-f3b839a219fb) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 1
Network Service Scanning - T1423 (2de38279-043e-47e8-aaad-1b07af6d0790) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec) Attack Pattern 1
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Native API - T1575 (52eff1c7-dd30-4121-b762-24ae6fa61bbb) Attack Pattern 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 1
Non-Standard Port - T1509 (948a447c-d783-4ba0-8516-a64140fcacd5) Attack Pattern LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware 1
LightSpy - S1185 (5b5d1e6c-e7de-4b46-ab8f-8556e8745927) Malware Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern 1
Credentials from Password Store - T1634 (cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3) Attack Pattern Keychain - T1634.001 (8605a0ec-b44a-4e98-a7fc-87d4bd3acb66) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 2