Chinese cyberespionage group APT41, also known as Wicked Panda, has been using a surveillance toolkit called LightSpy to target victims in the Asia-Pacific region since 2018.
Researchers at ThreatFabric discovered that APT41 used spam messages to distribute a malicious WeChat application from third-party app stores. This application served as a delivery mechanism for the LightSpy surveillance malware, which is compatible with both iOS and Android devices. LightSpy is capable of exfiltrating sensitive data, including precise location, payment information, call recordings, and chat archives.
Unlike many threat actors, APT41 has a history of employing various surveillance malware, and it has recently shifted its focus to developing malware specifically designed for mobile operating systems. Researchers have linked APT41 to both the LightSpy and DragonEgg surveillance malware. These malicious tools share a similar structure and configuration pattern, allowing threat actors to add dynamically updatable modules supporting multiple functions.
APT41 used a malicious version of WeChat to gain broad access permissions on targeted devices and used LightSpy to exfiltrate internal private information, such as communication archives, contacts, and stored files.
This cyber threat group, with active servers in China, Singapore, and Russia, poses a significant risk to victims, primarily located in the Asia-Pacific region. The use of messengers as carriers of malicious code makes these attacks highly dangerous and difficult to detect, especially when superuser privileges are not available on the targeted device.
To defend against such threats, organizations are urged to remain vigilant, apply security updates, and employ robust cybersecurity measures to protect their networks and devices.