South Asian iPhone Users Targeted by Chinese-Linked LightSpy iOS Spyware

Image Credit by Pixabay

VTA-004481 – South Asian iPhone Users Targeted by Chinese-Linked Lightspy iOS Spyware

Cybersecurity experts have identified a “renewed” cyber espionage effort directed at users in South Asia, designed to distribute a spyware implant called LightSpy for Apple iOS devices. The newest version of LightSpy, known as ‘F_Warehouse,’ features a modular framework with a wide range of spying capabilities. Evidence indicates that the campaign might have focused on India, as suggested by VirusTotal submissions originating from within the country. LightSpy is an advanced iOS backdoor distributed through watering hole attacks, often using compromised news websites. In October 2023, a researcher’s analysis revealed infrastructure and functional similarities between the LightSpy malware and an Android spyware called DragonEgg, associated with the Chinese nation-state group APT41 (also known as Winnti). The initial method of intrusion is currently unknown, but it is suspected to occur through breached news websites regularly visited by the targets. The attack begins with a first-stage loader, which serves as a platform for deploying the main LightSpy backdoor and its various plugins fetched from a remote server to carry out data collection tasks. LightSpy is a comprehensive and modular tool that enables threat actors to collect sensitive information. This includes harvesting contacts, SMS messages, precise location data, and even recording sound during VoIP calls. An in-depth analysis of the implant’s source code indicates the likely involvement of native Chinese speakers, hinting at the possibility of state-sponsored activity. Additionally, LightSpy communicates with a server located at, which also hosts an administrator panel displaying error messages in Chinese when incorrect login credentials are entered. These developments coincide with Apple’s announcement that it has sent out threat notifications to users in 92 countries, including India, warning them of potential targeting by mercenary spyware attacks.


Attack Surfaces:
Messaging, Mobile Application, Mobile OS, Others


Command and Control, Credential Access, Execution, Initial Access, Reconnaissance

T1189 – Drive-by Compromise,
T1123 – Audio Capture,
T1003 – OS Credential Dumping,
T1059 – Command and Scripting Interpreter

Indicator of Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Always keep iOS devices updated with the latest patch.
2. Avoid clicking on suspicious links or applications.
3. Enable multi-factor authentication on personal accounts.
4. Run trusted security solution for additional protection.
5. Seek help from professional if devices is suspected compromised.

Contributed by: Varrumen