Now, according to Dutch mobile security firm ThreatFabric, the attack chains involve the use of a trojanized Telegram app that's designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core.
Further analysis of the artifacts has revealed that the implant has been actively maintained since at least December 11, 2018, with the latest version released on July 13, 2023.
The core module of LightSpy (i.e., DragonEgg) functions as an orchestrator plugin responsible for gathering the device fingerprint, establishing contact with a remote server, awaiting further instructions, and updating itself as well as the plugins.
"LightSpy Core is extremely flexible in terms of configuration: operators can precisely control the spyware using the updatable configuration," ThreatFabric
said, noting that WebSocket is used for command delivery and HTTPS is used for data exfiltration.
