InfoSecBulletin Cybersecurity for mankind
LightSpy mobile espionage campaign, which focuses on targets in Southern Asia and probably India, potentially indicating a renewed focus and grow tensions in the region.
VirusTotal submissions from India suggest potential victims within its borders, aligning with recent warnings by Apple on detections within the same country.
First couple “Rosie” to conceive using AI tech “STAR” successfully
Scattered Spider Actively Attacking Aviation and Transportation: FBI
Russia’s restrictions on Cloudflare making websites inaccessible
61 million Verizon records allegedly posted online for sale
Cyber Expert ‘Rene Joshilda’ Arrested for Bomb Hoaxes
Critical RCE Flaws in Cisco ISE and ISE-PIC Allow to Gain Root Access
CISA Warns of FortiOS Hard-Coded Credentials Vulns
5 vendors’ printer totaling 748 models affected: Rapid7
Citrix Released Emergency Patches for Actively Exploited CVE-2025-6543
SonicWall warns of a trojanized NetExtender stealing VPN logins
Technical Details:
Infection vector:
Based on previous campaigns, initial infection likely occurs through compromised news websites carrying stories related to Hong Kong.
Weaponization:
The attack involves a first-stage implant that gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.
Execution Chain:
The Loader starts by loading the encrypted and then decrypted LightSpy kernel. LightSpy is an espionage framework with a plugin system. The Loader loads these plugins, which extend the main LightSpy implant. The plugins are securely retrieved from the threat actor’s server in an encrypted format, decrypted, and then executed in the system environment.
The latest LightSpy campaign utilizes a versatile framework known as “F_Warehouse.” This framework exhibits a wide range of capabilities, enabling it to:
Exfiltrate files: Systematically search and steal files from the compromised mobile device.
Record audio: Covertly capture audio through the device’s microphone.
Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
Track user activity: Harvest browsing history data to monitor online behavior.
Application inventory: Gather details about installed applications on the device.
Capture images: Secretly take pictures using the device’s camera.
Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
Device enumeration: Identify and list devices connected to the compromised system. To read the full report click here.
