LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign

BlackBerry found that the LightSpy campaign (attributed to APT41) evolved into a new modular Windows surveillance framework called DeepData, which uses 12 specialized plugins to harvest messages, credentials, system data, audio and more. The report also details expanded command-and-control infrastructure (new SSL certificates, web API endpoints and C2 hosts) and targeted long-term espionage against communications in Southeast Asia. #DeepData #LightSpy #APT41

Keypoints

DeepData is a modular Windows-based surveillance framework (v3.2.1228) with ~12 specialized plugins for message, credential and system data theft.
Plugins target a wide range of messaging and collaboration apps including WhatsApp, Telegram, Signal, WeChat, DingDing and Feishu.
Capabilities include browser credential theft, KeePass memory extraction (via KeeFarce libraries), audio recording, Wi‑Fi key harvesting, and a new Windows keylogger.
DeepData components were hosted and delivered from APT41-controlled C2 infrastructure with identifiable SSL certificates and API endpoints (e.g., cmd_list and qweasdzxc/api/).
Several samples and their hashes (Data.dll, Frame.exe, multiple plugin DLLs) and C2 IPs/URLs were enumerated as IoCs for detection and blocking.
Development accelerated from Oct 2023 through Mar–Apr 2024 with frequent component updates and expanded platform support.
Victimology and targeting point to Southeast Asia with likely interest in political activists, journalists and related organizations.

MITRE Techniques

[T1055.001] DLL Injection – Injects Telegram.dll into the Telegram for Windows process to copy chats and media (‘injects the Telegram.dll library into the Telegram for Widows process’).
[T1071.001] Application Layer Protocol: Web Protocols – Uses web API endpoints for C2 communication such as the front-end API ‘cmd_list at the uri /ujmfanncy76211/front_api/cmd_list’.
[T1041] Exfiltration Over Command and Control Channel – Collected data and recordings are transmitted to attacker-controlled servers (‘sends the data to a server controlled by the threat actor’).
[T1555.003] Credentials from Web Browsers – WebBrowser.dll collects cookies, browsing history and passwords from Chrome, Firefox, Edge and Opera (‘collects sensitive user information such as cookies, browsing history, passwords’).
[T1555] Credentials from Password Stores – Pass.dll uses KeeFarce libraries to extract KeePass 2.x information from memory (‘allows the unauthorized extraction of KeePass 2.x password database information from memory’).
[T1123] Audio Capture – Audio.dll records microphone audio (uses FFmpeg to record AAC and uploads files) (‘record the audio environment with a microphone… records audio in Advanced audio Encoding (.aac) format’).
[T1056.001] Input Capture: Keylogging – C2 command list includes a new ‘Windows keylogger’ action indicating keystroke capture capability (‘“Windows Keylogger” is new as of the middle of October 2024’).
[T1082] System Information Discovery – SystemInfo.dll collects processes, user accounts, network connections, services and driver lists (‘collect information on the user’s system… information about the processes running on the system’).
[T1218.011] Signed Binary Proxy Execution: rundll32.exe – Readme indicates manual execution of plugins via rundll32.exe (‘use of the stealer with manual execution, via the file rundll32.exe’).
[T1027] Obfuscated/Encrypted Files – Data.dll decrypts mod.dat and loads DeepData, indicating file decryption/obfuscation (‘Data.dll decrypts mod.dat and loads an espionage tool we have named DeepData’).
[T1057] Process Discovery – Plugins enumerate and report running processes and program paths for reconnaissance (‘Information about the processes running on the system, including paths to the executable files running in the system’).

Indicators of Compromise

[File hashes] observed sample hashes – Data.dll SHA256 666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724, Frame.exe SHA256 cf59cd171270ec9b…dda92, and many more hashes listed.
[File names] DeepData components – Data.dll, Frame.exe, Tdm.dll, ChatIndexedDb.dll, Audio.dll, WebBrowser.dll, Pass.dll, Telegram.dll, etc.
[IP addresses] C2 and plugin servers – 119[.]147[.]213[.]48 (plugin/C2 hosting, port 28992), 45[.]155[.]220[.]79 (LightSpy C2), 119[.]147[.]213[.]48 and others listed as active C2s.
[Network URIs/Ports] plugin server endpoints – e.g., 119[.]147[.]213[.]48:28992/asdgdsfdsfasd/data[.]dll, 202[.]43[.]239[.]13:28992/asdgdsfdsfasd/SystemInfo[.]dll and similar paths used to host plugins.
[SSL certificate fingerprints] C2 certificates – LightSpy cert sha256 c0d4517e0727e9…24217c, admin[at]zb.com cert 2cede95138f60d…001a73, and https Project cert 4fd541e0c89926…c48ee.
[PDB paths] build artifacts in binaries – examples include D:CodeOtherWorkDeepDataHbindata.pdb and D:tmpWorkdeepdata-v2deepdatabinframe.pdb (useful for attribution/triage).