Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

LightSpy Spyware Operation Expands to Windows

The Chinese APT behind the LightSpy iOS backdoor has expanded its toolset with DeepData, a modular Windows-based surveillance framework.

The China-linked APT actor behind the LightSpy iOS malware has expanded its toolset with a Windows-based surveillance framework, BlackBerry reports.

Focused on stealing information from the infected devices, LightSpy was initially detailed in 2020, when it was used in attacks against iPhone users in Hong Kong.

Multiple reports this year have shown that LightSpy’s operators have expanded their toolset to target Android and macOS, and expanded the malware’s capabilities, including by adding destructive modules.

Now, BlackBerry, which attributes the attacks to the notorious Chinese hacking group APT41 (also known as Barium, Brass Typhoon, Bronze Atlas, Wicked Panda, and Winnti), details another step in the evolution of the LightSpy campaign, which has been expanded to Windows systems as well.

With the addition of the DeepData surveillance framework for Windows, with its 12 plugins specialized in information theft, the threat actor has comprehensive cross-platform espionage capabilities, backed by a sophisticated command-and-control (C&C) infrastructure.

According to BlackBerry, APT41’s surveillance capabilities target communication platforms such as WhatsApp, Telegram, Signal, WeChat, Outlook, DingDing, and Feishu, as well as browsers, password managers, and a large amount of system and network data. The APT can also record audio to spy on victims.

DeepData, which is served from the threat actor’s C&C server inside a ZIP archive, has the same layout as LightSpy, consisting of a core module and multiple plugins that target various applications for information theft.

The audio recording capabilities too are packed in a module that uses the system’s microphone and the open source library FFmpeg for this action. Recordings are saved in the .acc format and sent to the attacker’s server.

Advertisement. Scroll to continue reading.

Sifting through the framework’s components, BlackBerry discovered that their development likely started around mid-2022, with most of the plugins compiled throughout 2023. The core component of the framework, however, was compiled in March 2024, and keylogging capabilities were added in October.

APT41 is believed to have developed DeepData to be used in targeted attacks against entities in Southeast Asia, likely focusing on journalists, politicians, and political activists.

“Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering. Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access,” BlackBerry said.

Related: FBI Seeking Information on Chinese Hackers Targeting Sophos Firewalls

Related: Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns

Related: Alleged Chinese Police Database Hack Leaks Data of 1 Billion

Related: Indonesia Says No Evidence of Alleged Chinese Intel Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.