A macOS version of the LightSpy surveillance framework has been discovered, marking its expansion beyond Android and iOS. LightSpy is a modular surveillance tool used to steal a wide range of data, including files, screenshots, location data, voice recordings, payment information, and data from messaging apps like Telegram and QQ Messenger. This framework has primarily targeted individuals in the Asia–Pacific region.
According to a report by ThreatFabric, the macOS implant has been active since at least January 2024. The implant’s operation seems to be limited to testing environments and a few infected machines used by cybersecurity researchers. Researchers gained insights into LightSpy’s functionality and infrastructure by exploiting a misconfiguration that allowed unauthorized access to the framework’s control panel.
The attackers use WebKit flaws CVE-2018-4233 and CVE-2018-4404 to execute code within Safari on macOS 10.13.3 and earlier versions. The initial payload is a disguised PNG image file that decrypts and executes scripts to fetch further stages, ultimately gaining root access and establishing persistence on the device. The main component, “macircloader,” downloads and executes LightSpy Core, which manages plugins and communicates with the command and control server.
LightSpy’s macOS version uses ten plugins, including sound recording, browser data extraction, camera access, file management, keychain retrieval, local network device identification, application listing, screen recording, shell command execution, and Wi-Fi data collection. ThreatFabric’s report also indicated the existence of implants for Windows, Linux, and routers, although their usage in attacks remains unclear. Despite these findings, some aspects of the LightSpy framework remain unknown.
