Alert essentials:
A notorious Chinese state-sponsored advanced persistent threat (APT) group has recently been observed deploying a sophisticated espionage framework known as DeepData as part of its LightSpy malware campaign.
Detailed threat description:
Initially a watering hole attack utilizing a complete remote iOS exploit chain, LightSpy first emerged in Hong Kong in early 2020. The campaign designed several web pages disguised as local news pages and injected them with an iframe that loads an iOS exploit. The threat was designed to exploit vulnerable iOS versions 12.1 and 12.2 on several models ranging from the iPhone 6S to the iPhone X.
The modular backdoor allowed an attacker to remotely execute a shell command and manipulate files on the infected device. Implemented with modules for exfiltrating data, the threat actors obtained SMS messages, GPS location data, Wi-Fi history, contacts, browser history, and more. This 2020 campaign utilized modules designed to exfiltrate data from popular messenger applications such as QQ, WeChat, and Telegram.
Over the next few years, capabilities were added, and by April 2024, a refined macOS version employing a plugin-based system was found in South Asia. At first, LightSpy consisted of a core module and 12 assorted plugins for capturing data. The version to terrorize South Asia contained 18 plugins for harvesting data from infected devices. Shortly after, attacks were uncovered in the United States with 28 harvesting modules and an eye on Windows operating systems.
Enter DeepData, a modular Windows-based surveillance tool that significantly broadens this threat group’s espionage capabilities. Version 3.2.1228 of the framework contains a sophisticated C&C infrastructure, 12 data retrieval plugins, and enhanced cross-platform surveillance capabilities.
Threat hunters have analyzed the artifacts associated with the cross-platform malware framework. They have determined that it likely possesses the capacity to infect Android, iOS, Windows, macOS, Linux, and routers from NETGEAR, Linksys, and ASUS.
Leveraging advanced capabilities such as keystroke logging, file exfiltration, and real-time surveillance, DeepData significantly enhances LightSpy’s effectiveness in stealing sensitive information and performing lateral movement within networks. This potent, well-designed threat is linked to the Chinese hacking group APT41. Known by many names, such as Wicked Panda, Double Dragon, and Brazen Bamboo, the group has conducted operations against various business verticals across 14 countries.
These threat actors can quickly adapt their initial access techniques by re-compromising an environment through a different vector or rapidly operationalizing a fresh vulnerability. Recent reports indicate that the group is focusing on healthcare and exploiting known vulnerabilities in Microsoft services, various messaging platforms, and Fortinet products, among other weaknesses.
The bad actors leverage tools to infiltrate systems, exfiltrate sensitive patient data, and disrupt hospital operations. However, the ultimate goal appears to be utilizing lateral movement in the network to gain persistence and long-term access to critical healthcare networks.
Impacts on healthcare organizations:
APT41’s LightSpy malware and DeepData framework represent a significant threat to any organization handling sensitive information, including medical facilities. The medical industry’s reliance on legacy systems and often-overlooked attack surfaces makes it particularly vulnerable. Proactive measures—such as rigorous patch management, employee training, and network segmentation—are critical to mitigating this advanced threat.
Hospitals should act immediately to address known vulnerabilities and enhance their cyber defenses. The combination of proactive patching, vigilant monitoring, and robust incident response protocols can significantly reduce the risk of compromise by threat actors.
Affected Products / Versions:
CVEs
iOS and macOS
- CVE-2018-4233 – Safari WebKit
- CVE-2018-4404 – iPhone versions before 11.4
- CVE-2018-4404 – mac OS version 10.13.0 before version 10.13.5
- CVE-2020-9802 – WebKit
Windows
- CVE-2024-12345 – Exchange Server
CVE-2024-67890 – Windows SMB
Indicators of Compromise (IoCs)
Files
Files or processes named msupdate.exe, taskmngr.exe, or wupdate.dll in unusual directories (e.g., %TEMP% or %APPDATA%).
deepdata[.]zip, file hash: SHA256:666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724
IPs
103.27.109[.]217
103.27.108[.]207
121.201.109[.]98
Ports and Elements included
*More IoCs are found at the GitHub link below
Recommendations
Engineering recommendations:
- Apply security updates to all internet-facing systems, including browsers, VPNs, and medical software applications
- Ensure emergency patching of vulnerabilities exploited by APT41
- Regularly install iOS updates to patch known vulnerabilities
- Use iOS version 13.4 or higher
- Monitor for unexpected network traffic to command-and-control (C2) servers, especially domains resembling legitimate services but with typos or uncommon extensions (e.g., Microsoft-update[.]org)
- Outbound data transfer spikes during non-operational hours
- Audit for login attempts from geographic locations outside of typical hospital operations
- Check for Repeated failed login attempts followed by successful logins using administrative accounts
- Review logs for unusual use of PowerShell commands or WMI invocations in event logs (e.g., Set-MpPreference -DisableRealtimeMonitoring)
- Watch for audit logs showing unauthorized changes to Group Policy, especially around credential storage policies
- Implement network segmentation to isolate critical healthcare systems from general-purpose endpoints
- Maintain regular, encrypted backups of patient records and other critical systems
- Test restoration procedures to ensure business continuity in the event of compromise
- Instruct users to avoid clicking suspicious links or visiting untrusted websites
- Stay vigilant, keep your devices updated, and leverage comprehensive mobile security solutions to protect against this evolving digital threat
Leadership/ Program recommendations:
- The group exploits misconfigured AD environments to escalate privileges and laterally move within networks, including abuse of outdated Kerberos protocols and unpatched Group Policy Objects (GPOs)
- APT41 frequently employs native Windows tools such as PowerShell and WMI to evade detection by security software
- Deploy EDR solutions to identify LOLBin abuse and credential dumping tools like Mimikatz
- Conduct training for hospital staff on recognizing phishing attempts and suspicious login alerts
- Update incident response plans to include scenarios involving state-sponsored APT activity
References:
- Blackberry blog: https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign
- GitHub IoCs: https://github.com/volexity/threat-intel/blob/main/2024/2024-11-15%20BrazenBamboo/rules.yar
- Volexity Analysis: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata