InfoSecBulletin Cybersecurity for mankind
LightSpy mobile espionage campaign, which focuses on targets in Southern Asia and probably India, potentially indicating a renewed focus and grow tensions in the region.
VirusTotal submissions from India suggest potential victims within its borders, aligning with recent warnings by Apple on detections within the same country.
Hacker claim to breach Link3; 189,000 Users data up for sale
Check Point Hosts “Securing the Hyperconnected World in the AI Era” in Dhaka
Microsoft Confirms 900+ XSS Vulns Found in IT Services
Daily Security Update Dated : 15.09.2025
IBM QRadar SIEM Vuln Let Attackers Perform Unauthorized Actions
Major Australian Banks using Army of AI Bots to Scam Scammers
F5 to acquire CalypsoAI for $180M for Advanced AI Security Capabilities
AI Pentesting Tool ‘Villager’ Merges Kali Linux with DeepSeek AI for Automated Attacks
CVE-2025-21043
Samsung Patched Critical Zero-Day Flaw Exploited in Android Attacks
Albania appoints world’s first AI minister, “Diella” to Tackle Corruption
Technical Details:
Infection vector:
Based on previous campaigns, initial infection likely occurs through compromised news websites carrying stories related to Hong Kong.
Weaponization:
The attack involves a first-stage implant that gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.
Execution Chain:
The Loader starts by loading the encrypted and then decrypted LightSpy kernel. LightSpy is an espionage framework with a plugin system. The Loader loads these plugins, which extend the main LightSpy implant. The plugins are securely retrieved from the threat actor’s server in an encrypted format, decrypted, and then executed in the system environment.
The latest LightSpy campaign utilizes a versatile framework known as “F_Warehouse.” This framework exhibits a wide range of capabilities, enabling it to:
Exfiltrate files: Systematically search and steal files from the compromised mobile device.
Record audio: Covertly capture audio through the device’s microphone.
Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
Track user activity: Harvest browsing history data to monitor online behavior.
Application inventory: Gather details about installed applications on the device.
Capture images: Secretly take pictures using the device’s camera.
Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
Device enumeration: Identify and list devices connected to the compromised system. To read the full report click here.
