The China-linked APT actor behind the LightSpy iOS malware has expanded its toolset with a Windows-based surveillance framework, BlackBerry reports.

Focused on stealing information from the infected devices, LightSpy was initially detailed in 2020, when it was used in attacks against iPhone users in Hong Kong.

Multiple reports this year have shown that LightSpy’s operators have expanded their toolset to target Android and macOS, and expanded the malware’s capabilities, including by adding destructive modules.

Now, BlackBerry, which attributes the attacks to the notorious Chinese hacking group APT41 (also known as Barium, Brass Typhoon, Bronze Atlas, Wicked Panda, and Winnti), details another step in the evolution of the LightSpy campaign, which has been expanded to Windows systems as well.

With the addition of the DeepData surveillance framework for Windows, with its 12 plugins specialized in information theft, the threat actor has comprehensive cross-platform espionage capabilities, backed by a sophisticated command-and-control (C&C) infrastructure.

According to BlackBerry, APT41’s surveillance capabilities target communication platforms such as WhatsApp, Telegram, Signal, WeChat, Outlook, DingDing, and Feishu, as well as browsers, password managers, and a large amount of system and network data. The APT can also record audio to spy on victims.

DeepData, which is served from the threat actor’s C&C server inside a ZIP archive, has the same layout as LightSpy, consisting of a core module and multiple plugins that target various applications for information theft.

The audio recording capabilities too are packed in a module that uses the system’s microphone and the open source library FFmpeg for this action. Recordings are saved in the .acc format and sent to the attacker’s server.

Sifting through the framework’s components, BlackBerry discovered that their development likely started around mid-2022, with most of the plugins compiled throughout 2023. The core component of the framework, however, was compiled in March 2024, and keylogging capabilities were added in October.

APT41 is believed to have developed DeepData to be used in targeted attacks against entities in Southeast Asia, likely focusing on journalists, politicians, and political activists.

“Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering. Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access,” BlackBerry said.

Related: FBI Seeking Information on Chinese Hackers Targeting Sophos Firewalls

Related: Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns

Related: Alleged Chinese Police Database Hack Leaks Data of 1 Billion

Related: Indonesia Says No Evidence of Alleged Chinese Intel Hack