HomeWinBuzzer NewsLightSpy Spyware Targets macOS and Extracts Data from Telegram and Other...

LightSpy Spyware Targets macOS and Extracts Data from Telegram and Other Apps

The spyware accesses data from widely-used applications, along with personal documents and multimedia files.


Experts from ThreatFabric have discovered a macOS version of the advanced LightSpy , which has been active since at least January 2024. The modular spyware, previously known for targeting iOS and Android devices, now extends its capabilities to , raising significant security concerns for users of Apple's desktop operating system.

macOS Variant Still in Testing Phase

LightSpy primarily targets victims in the Asia-Pacific region. Current analysis suggests the macOS variant is still in a testing phase, with few infections observed, predominantly on devices used by security researchers. Initially, a 64-bit MachO binary disguised as a PNG file (“20004312341.png“) is deployed on the device. This file decrypts and runs embedded scripts to fetch the second stage payload.

On March 21, 2024, researchers stumbled upon a misconfiguration within the control panel of the spyware. The control panel content appeared on VirusTotal as a background web page. A day later, the panel URL linked to Android LightSpy was also discovered on VirusTotal. An error in the control panel coding led to a brief authenticated view display without proper authorization, providing researchers with insights into victim profiles and data exfiltration activities.

The newly identified macOS version of LightSpy exploits two known vulnerabilities, CVE-2018-4233 and CVE-2018-4404, found in WebKit. These security weaknesses compromise macOS 10.13.3 and earlier iOS versions. Infection occurs through malicious URLs containing the digits “96382741“, which have been uploaded to VirusTotal starting January 11, 2024. Upon visiting these URLs, users encounter HTML and JavaScript files manipulated to exploit Safari's WebKit vulnerabilities, allowing the execution of arbitrary code.

Capabilities and Deployment

Equipped with ten different plugins, LightSpy for macOS can extract sensitive information from compromised devices. This includes data from widely-used applications like Telegram, QQ, and WeChat, along with personal documents and multimedia files. The spyware can also record audio, take photos using the device's camera, and gather extensive information such as browser history, WiFi networks, and details of installed applications. In addition, it can access KeyChain data, device lists, and execute shell commands, thereby potentially gaining full control over the device.

The second stage payload includes a privilege escalation exploit named “ssudo,” encryption/decryption tool “ddss,” and a ZIP archive “mac.zip” containing executables “update” and “update.plist.” These components decrypt and unpack to gain root access and establish persistence by configuring the “update” binary to execute at startup.

Identified as “macircloader,” this component downloads, decrypts, and runs LightSpy Core, which manages plugins and communication with the command and control (C2) server. LightSpy Core can execute shell commands, update network settings, and set an operational schedule to avoid detection.

The report from ThreatFabric reveals panel access that suggests the existence of implants for Windows, Linux, and routers, although their deployment in actual attacks remains uncertain. Some aspects of the LightSpy framework remain unclear, with no confirmed implants for Linux and routers or their specific delivery methods. However, potential functionalities are inferred from panel analysis.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.