{"description": "Mobile techniques used by LightSpy, ATT&CK software S1185 (v1.0)", "name": "LightSpy (S1185)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has used both HTTPS and Websockets to communicate with the C2.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1532", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) collects and compresses data to be exfiltrated using SSZipArchive.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has captured environment audio, phone calls and Voice over IP (VoIP) calls.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1398", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has established auto-start execution during the system boot process.(Citation: Threatfabric LightSpy 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1623", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has plugins for executing shell commands either from the C2 server or a library file called `zt.dylib`.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1634", "showSubtechniques": true}, {"techniqueID": "T1634.001", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s KeyChain data.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1662", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has deleted media files and messenger-related files on the device.(Citation: Threatfabric LightSpy 2024) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.(Citation: LinkedIn Dmitry LightSpy 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has collected and exfiltrated files from messaging applications, such as Telegram, QQ, WeChat, and Whatsapp, and browser history from Chrome and Safari.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1456", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) gains initial execution when a victim visits a compromised or adversary-controlled website, including those mimicking legitimate sources such as a Hong Kong newspaper. Upon loading `index.html`, a Safari WebKit exploit is triggered, leading to the download of a Mach-O binary disguised with a `.png` extension.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1642", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has used the DeleteSpring plugin to render the device\u2019s user interface inoperable by disabling SpringBoard, which is iOS's home screen manager.(Citation: LinkedIn Dmitry LightSpy 2025) [LightSpy](https://attack.mitre.org/software/S1185) has used the BootDestroy plugin to prevent the victim device from booting by modifying the NVRAM parameter `auto-boot` to `false`.(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has renamed the Wi-Fi daemon to disable wireless connectivity.(Citation: LinkedIn Dmitry LightSpy 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has exfiltrated collected data to the C2.(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1658", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has compromised iPhones running iOS 12.1 and 12.2 without any user interaction.(Citation: Shoshin_Kaspersky LightSpy 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1404", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) uses the embedded `time_waste` function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a `.dylib` into the `SpringBoard` process, allowing persistent access to audio and video capture.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1544", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has retrieved files from the C2 server.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024) Examples of files from the C2 are ` amfidebilitate` (jailbreak component), ` jbexec ` (executable to verify jailbreak), `bb` (FrameworkLoader), `cc` (launchctl binary for persistence), `b.plist` (configuration for auto-start), and `resources.zip`, which contains additional jailbreak-related components.(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s GPS location.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has masqueraded a Mach-O executable as a png file.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1575", "comment": "[LightSpy](https://attack.mitre.org/software/S1185)'s main executable and modules use native libraries to execute targeted functionality.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1423", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) uses the `landevices` module to enumerate devices on the same WiFi network through active scanning.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1509", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.(Citation: Threatfabric LightSpy 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "Using an XOR-chain algorithm, [LightSpy](https://attack.mitre.org/software/S1185) decrypts an embedded configuration blob containing URLs for jailbreak components and next-stage payloads. It also decrypts modules in memory and on disk using AES-ECB with the hardcoded key `3e2717e8b3873b29`.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185)\u2019s plugins have been encrypted during transmission.(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1660", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has delivered malicious links through Telegram channels and Instagram posts.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1424", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of running processes.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1631", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) injects libcynject.dylib into the SpringBoard process to enable audio/video recording.(Citation: LinkedIn Dmitry LightSpy 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s call log.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s contact list.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed SMS messages.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has a plugin that can take screenshots.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has sent and deleted SMS messages.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed a list of installed applications.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has collected payment history from WeChat Pay.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: LinkedIn Dmitry LightSpy 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has collected device information such as IMEI, phone number, MAC address and IP address.(Citation: LinkedIn Dmitry LightSpy 2025) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1422.002", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) uses the WifiList (or `libWifiList`) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1421", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1512", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) has the ability to take one picture, continuous pictures or event-related pictures using the device\u2019s camera.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) For iOS devices, the default file type for pictures is in High Efficiency Image Format (HEIC); for Android devices, the default file type for pictures is in JPEG format. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LightSpy", "color": "#66b1ff"}]}