{ "id": "a489e848-bf1b-488a-b72b-deee91c9ff67", "created_at": "2026-04-06T00:08:49.207591Z", "updated_at": "2026-04-10T03:37:01.098994Z", "deleted_at": null, "sha1_hash": "8463590cb5e4abc7c439e021b6397ec82003dd53", "title": "Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2349864, "plain_text": "Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit\r\nBy Google Threat Intelligence Group\r\nPublished: 2026-03-03 · Archived: 2026-04-02 11:53:45 UTC\r\nIntroduction \r\nGoogle Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone\r\nmodels running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).\r\nThe exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23\r\nexploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the\r\nmost advanced ones using non-public exploitation techniques and mitigation bypasses. \r\nThe Coruna exploit kit provides another example of how sophisticated capabilities proliferate. Over the course of\r\n2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance\r\nvendor, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected\r\nRussian espionage group. We then retrieved the complete exploit kit when it was later used in broad-scale\r\ncampaigns by UNC6691, a financially motivated threat actor operating from China. How this proliferation\r\noccurred is unclear, but suggests an active market for \"second hand\" zero-day exploits. Beyond these identified\r\nexploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and\r\nmodified with newly identified vulnerabilities.\r\nFollowing our disclosure policy, we are sharing our research to raise awareness and advance security across the\r\nindustry. We have also added all identified websites and domains to Safe Browsing to safeguard users from further\r\nexploitation. The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly\r\nurged to update their devices to the latest version of iOS. In instances where an update is not possible, it is\r\nrecommended that Lockdown Mode be enabled for enhanced security.\r\nDiscovery Timeline\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 1 of 19\n\nFigure 1: Coruna iOS exploit kit timeline\r\nInitial Discovery: The Commercial Surveillance Vendor Role\r\nIn February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company. The\r\nexploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript\r\nobfuscation techniques.\r\n[16, 22, 0, 69, 22, 17, 23, 12, 6, 17].map(x =\u003e {return String.fromCharCode(x ^ 101);}).join(\"\")\r\ni.p1=(1111970405 ^ 1111966034);\r\nThe JavaScript framework used these constructs to encode strings and integers\r\nThe framework starts a fingerprinting module collecting a variety of data points to determine if the device is real\r\nand what specific iPhone model and iOS software version it is running. Based on the collected data, it loads the\r\nappropriate WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC)\r\nbypass as seen in Figure 2 from the deobfuscated JavaScript.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 2 of 19\n\nFigure 2: Deobfuscated JavaScript of the Coruna exploit kit\r\nAt that time, we recovered the WebKit RCE delivered to a device running iOS 17.2 and determined it was CVE-2024-23222, a vulnerability previously identified as a zero-day that was addressed by Apple on Jan. 22, 2024 in\r\niOS 17.3 without crediting any external researchers. Figure 3 shows the beginning of the RCE exploit exactly how\r\nit was delivered in-the-wild with our annotations.\r\nFigure 3: How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild\r\nGovernment-Backed Attacker Usage\r\nIn summer 2025, we noticed the same JavaScript framework hosted on cdn.uacounter[.]com, a website loaded as a\r\nhidden iFrame on many compromised Ukrainian websites, ranging from industrial equipment and retail tools to\r\nlocal services and ecommerce websites. The framework was only delivered to selected iPhone users from a\r\nspecific geolocation.\r\nThe framework was identical and delivered the same set of exploits. We collected WebKit RCEs, which included\r\nCVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, before the server was shut down. We alerted and\r\nworked with CERT-UA to clean up all compromised websites.\r\nFull Exploit Chain Collection From Chinese Scam Websites\r\nAt the end of the year, we identified the JavaScript framework on a very large set of fake Chinese websites mostly\r\nrelated to finance, dropping the exact same iOS exploit kit. The websites tried to convince users to visit the\r\nwebsites with iOS devices, as seen in Figure 4, taken from a fake WEEX crypto exchange website.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 3 of 19\n\nFigure 4: Pop-up on a fake cryptocurrency exchange website trying to drive users to the exploits\r\nUpon accessing these websites via an iOS device and regardless of their geolocation, a hidden iFrame is injected,\r\ndelivering the exploit kit. As an example, Figure 5 shows the same CVE-2024-23222 exploit as it was found on\r\n3v5w1km5gv[.]xyz.\r\nFigure 5: Screenshot of CVE-2024-23222 exploit recovered from a scam site\r\nWe retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance\r\nwhere the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including\r\ntheir internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total,\r\nwe collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target\r\nvarious iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in\r\nDecember 2023).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 4 of 19\n\nIn the subsequent sections, we will provide a quick description of the framework, a breakdown of the exploit\r\nchains, and the associated implants we have captured. Our analysis of the collected data is ongoing, and we\r\nanticipate publishing additional technical specifications via new blog entries or root cause analyses (RCAs).\r\nThe Coruna Exploit Kit\r\nThe framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected\r\nnaturally and combined together using common utility and exploitation frameworks. The kit performs the\r\nfollowing unique actions:\r\nBailing out if the device is in Lockdown Mode, or the user is in private browsing.\r\nA unique and hard-coded cookie is used along the way to generate resource URLs.\r\nResources are referred to by a hash, which needs to be derived with the unique cookie using\r\nsha256(COOKIE + ID)[:40] to get their URL.\r\nRCE and PAC bypasses are delivered unencrypted.\r\nThe kit contains a binary loader to load the appropriate exploit chain post RCE within WebKit. In this case, binary\r\npayloads:\r\nHave unique metadata indicating what they really are, what chips and iOS versions they support.\r\nAre served from URLs that end with .min.js.\r\nAre encrypted using ChaCha20 with a unique key per blob.\r\nAre packaged in a custom file format starting with 0xf00dbeef as header.\r\nAre compressed with the Lempel–Ziv–Welch (LZW) algorithm.\r\nFigure 6 shows what an infection of an iPhone XR running iOS 15.8.5 looks like from a networking point of view,\r\nwith our annotation of the different parts when browsing one of these fake financial websites.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 5 of 19\n\nFigure 6: Coruna exploit chain delivered on iOS 15.8.5\r\nThe Exploits and Their Code Names\r\nThe core technical value of this exploit kit lies in its comprehensive collection of iOS exploits. The exploits\r\nfeature extensive documentation, including docstrings and comments authored in native English. The most\r\nadvanced ones are using non-public exploitation techniques and mitigation bypasses. The following table provides\r\na summary of our ongoing analysis regarding the various exploit chains; however, as the full investigation is still\r\nin progress, certain CVE associations may be subject to revision. There are in total 23 exploits covering versions\r\nfrom iOS 13 to iOS 17.2.1.\r\nType Codename\r\nTargeted versions\r\n(inclusive)\r\nFixed\r\nversion\r\nCVE\r\nWebContent R/W buffout 13 → 15.1.1 15.2\r\nCVE-2021-\r\n30952\r\nWebContent R/W jacurutu 15.2 → 15.5 15.6\r\nCVE-2022-\r\n48503\r\nWebContent R/W bluebird 15.6 → 16.1.2 16.2 No CVE\r\nWebContent R/W terrorbird 16.2 → 16.5.1 16.6\r\nCVE-2023-\r\n43000\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 6 of 19\n\nWebContent R/W cassowary 16.6 → 17.2.1 16.7.5, 17.3\r\nCVE-2024-\r\n23222\r\nWebContent PAC bypass breezy 13 → 14.x ? No CVE\r\nWebContent PAC bypass breezy15 15 → 16.2 ? No CVE\r\nWebContent PAC bypass seedbell 16.3 → 16.5.1 ? No CVE\r\nWebContent PAC bypass seedbell_16_6 16.6 → 16.7.12 ? No CVE\r\nWebContent PAC bypass seedbell_17 17 → 17.2.1 ? No CVE\r\nWebContent sandbox\r\nescape\r\nIronLoader\r\n16.0 → 16.3.116.4.0 (\u003c=\r\nA12)\r\n15.7.8, 16.5\r\nCVE-2023-\r\n32409\r\nWebContent sandbox\r\nescape\r\nNeuronLoader\r\n16.4.0 → 16.6.1 (A13-\r\nA16)\r\n17.0 No CVE\r\nPE Neutron 13.X 14.2\r\nCVE-2020-\r\n27932\r\nPE (infoleak) Dynamo 13.X 14.2\r\nCVE-2020-\r\n27950\r\nPE Pendulum 14 → 14.4.x 14.7 No CVE\r\nPE Photon 14.5 → 15.7.6\r\n15.7.7,\r\n16.5.1\r\nCVE-2023-\r\n32434\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 7 of 19\n\nPE Parallax 16.4 → 16.7 17.0\r\nCVE-2023-\r\n41974\r\nPE Gruber 15.2 → 17.2.1 16.7.6, 17.3 No CVE\r\nPPL Bypass Quark 13.X 14.5 No CVE\r\nPPL Bypass Gallium 14.x 15.7.8, 16.6\r\nCVE-2023-\r\n38606\r\nPPL Bypass Carbone 15.0 → 16.7.6 17.0 No CVE\r\nPPL Bypass Sparrow 17.0 → 17.3 16.7.6, 17.4\r\nCVE-2024-\r\n23225\r\nPPL Bypass Rocket 17.1 → 17.4 16.7.8, 17.5\r\nCVE-2024-\r\n23296\r\nTable 1: Table with mapping CVE to code names\r\nPhoton and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation\r\nTriangulation, discovered by Kaspersky in 2023. The Coruna exploit kit also embeds reusable modules to ease the\r\nexploitation of the aforementioned vulnerabilities. For example, there is a module called rwx_allocator using\r\nmultiple techniques to bypass various mitigations preventing allocation of RWX memory pages in userland. The\r\nkernel exploits are also embedding various internal modules allowing them to bypass kernel-based mitigations\r\nsuch as kernel-mode PAC.\r\nThe Ending Payload\r\nAt the end of the exploitation chain, a stager binary called PlasmaLoader (tracked by GTIG as PLASMAGRID),\r\nusing com.apple.assistd as an identifier, facilitates communication with the kernel component established by the\r\nexploit. The loader is injecting itself into powerd, a daemon running as root on iOS.\r\nThe injected payload doesn’t exhibit the usual capabilities that we would expect to see from a surveillance vendor,\r\nbut instead steals financial information. The payload can decode QR codes from images on disk. It also has a\r\nmodule to analyze blobs of text to look for BIP39 word sequences or very specific keywords like “backup phrase”\r\nor “bank account.” If such text is found in Apple Memos it will be sent back to the C2.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 8 of 19\n\nMore importantly, the payload has the ability to collect and run additional modules remotely, with the\r\nconfiguration retrieved from http://\u003cC2 URL\u003e/details/show.html . The configuration, as well as the additional\r\nmodules, are compressed as 7-ZIP archives protected with a unique hard-coded password. The configuration is\r\nencoded in JSON and simply contains a list of module names with their respective URL, hash and size.\r\n{\r\n \"entries\": [\r\n {\r\n \"bundleId\": \"com.bitkeep.os\",\r\n \"url\": \"http://\u003cC2URL\u003e/details/f6lib.js\",\r\n \"sha256\": \"6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c\",\r\n \"size\": 256832,\r\n \"flags\": {\r\n \"do_not_close_after_run\": true\r\n }\r\n }\r\n...\r\n ]\r\n}\r\nAs expected, most of all identified modules exhibit a uniform design; they are all placing function hooks for the\r\npurpose of exfiltrating cryptocurrency wallets or sensitive information from the following applications:\r\ncom.bitkeep.os\r\ncom.bitpie.wallet\r\ncoin98.crypto.finance.insights\r\norg.toshi.distribution\r\nexodus-movement.exodus\r\nim.token.app\r\ncom.kyrd.krystal.ios\r\nio.metamask.MetaMask\r\norg.mytonwallet.app\r\napp.phantom\r\ncom.skymavis.Genesis\r\ncom.solflare.mobile\r\ncom.global.wallet.ios\r\ncom.tonhub.app\r\ncom.jbig.tonkeeper\r\ncom.tronlink.hdwallet\r\ncom.sixdays.trust\r\ncom.uniswap.mobile\r\nAll of these modules contain proper logging with sentences written in Chinese:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 9 of 19\n\n\u003cPlasmaLogger\u003e %s[%d]: CorePayload 管理器初始化成功,尝试启动...\r\nThis log string indicates the CorePayload Manager initialized successfully\r\nSome comments, such as the following one, also include emojis and are written in a way suggesting they might be\r\nLLM-generated.\r\n\u003cPlasmaLogger\u003e %s[%d]: [PLCoreHeartbeatMonitor] ✅ 心跳监控已启动 (端口=0x%x),等待 CorePayload 发送第一个心跳\r\nNetwork communication is done over HTTPs with the collected data encrypted and POST’ed with AES using the\r\nSHA256 hash of a static string as key. Some of the HTTP requests contain additional HTTP headers such as\r\nsdkv or x-ts, followed by a timestamp. The implant contains a list of hard-coded C2s but has a fallback\r\nmechanism in case the servers do not respond. The implant embeds a custom domain generation algorithm (DGA)\r\nusing the string “lazarus” as seed to generate a list of predictable domains. The domains will have 15 characters\r\nand use .xyz as TLD. The attackers use Google's public DNS resolver to validate if the domains are active.\r\nConclusion\r\nGoogle has been a committed participant in the Pall Mall Process, designed to build consensus and progress\r\ntoward limiting the harms from the spyware industry. Together, we are focused on developing international norms\r\nand frameworks to limit the misuse of these powerful technologies and protect human rights around the world.\r\nThese efforts are built on earlier governmental actions, including steps taken by the US Government to limit\r\ngovernment use of spyware, and a first-of-its-kind international commitment to similar efforts.\r\nAcknowledgements\r\nWe would like to acknowledge and thank Google Project-Zero and Apple Security Engineering \u0026 Architecture\r\nteam for their partnership throughout this investigation.\r\nIndicators of Compromise (IOCs)\r\nTo assist the wider community in hunting and identifying activity outlined in this blog post, we have included\r\nIOCs in a free GTI Collection for registered users.\r\nFile Indicators\r\nHashes of the implant and its modules delivered from the crypto related websites.\r\nImplant\r\nbundleId SHA-256\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 10 of 19\n\ncom.apple.assistd 2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a\r\nModules\r\nbundleId SHA-256\r\ncom.apple.springboard 18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3\r\ncom.bitkeep.os 6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c\r\ncom.bitpie.wallet 42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b\r\ncoin98.crypto.finance.insights 0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495\r\norg.toshi.distribution 05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901\r\nexodus-movement.exodus 10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c\r\nim.token.app 91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30\r\ncom.kyrd.krystal.ios 721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780\r\nio.metamask.MetaMask 25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de\r\norg.mytonwallet.app be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9\r\napp.phantom 3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541\r\ncom.skymavis.Genesis 499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 11 of 19\n\ncom.solflare.mobile d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802\r\ncom.global.wallet.ios 4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd\r\ncom.tonhub.app d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a\r\ncom.jbig.tonkeeper 023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de\r\ncom.tronlink.hdwallet f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac\r\ncom.sixdays.trust 1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0\r\ncom.uniswap.mobile 4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8\r\nNetwork Indicators\r\nUNC6353 Indicators\r\nURL delivering Coruna exploit kit\r\nhttp://cdn[.]uacounter[.]com/stat[.]html\r\nUNC6691 Indicators\r\nURLs delivering Coruna exploit kit\r\nhttps://ai-scorepredict[.]com/static/analytics[.]html\r\nhttps://m[.]pc6[.]com/test/tuiliu/group[.]html\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 12 of 19\n\nhttp://ddus17[.]com/tuiliu/group[.]html\r\nhttps://goodcryptocurrency[.]top/details/group[.]html\r\nhttp://pepeairdrop01[.]com/static/analytics[.]html\r\nhttps://osec2[.]668ddf[.]cc/tuiliu/group[.]html\r\nhttps://pepeairdrop01[.]com/static/analytics[.]html\r\nhttps://ios[.]teegrom[.]top/tuiliu/group[.]html\r\nhttps://i[.]binaner[.]com/group[.]html\r\nhttps://ajskbnrs[.]xn--jor0b302fdhgwnccw8g[.]com/gogo/list[.]html\r\nhttps://sj9ioz3a7y89cy7[.]xyz/list[.]html\r\nhttps://65sse[.]668ddf[.]cc/tuiliu/group[.]html\r\nhttps://sadjd[.]mijieqi[.]cn/group[.]html\r\nhttps://mkkku[.]com/static/analytics[.]html\r\nhttps://dbgopaxl[.]com/static/goindex/tuiliu/group[.]html\r\nhttps://w2a315[.]tubeluck[.]com/static/goindex/tuiliu/group[.]html\r\nhttps://ose[.]668ddf[.]cc/tuiliu/group[.]html\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 13 of 19\n\nhttp://cryptocurrencyworld[.]top/details/group[.]html\r\nhttps://iphonex[.]mjdqw[.]cn/tuiliu/group[.]html\r\nhttp://goodcryptocurrency[.]top/details/group[.]html\r\nhttps://share[.]4u[.]game/group[.]html\r\nhttps://26a[.]online/group[.]html\r\nhttps://binancealliancesintro[.]com/group[.]html\r\nhttps://4u[.]game/group[.]html\r\nhttp://bestcryptocurrency[.]top/details/group[.]html\r\nhttps://b27[.]icu/group[.]html\r\nhttps://h4k[.]icu/group[.]html\r\nhttps://so5083[.]tubeluck[.]com/static/goindex/group[.]html\r\nhttps://seven7[.]vip/group[.]html\r\nhttps://y4w[.]icu/group[.]html\r\nhttps://7ff[.]online/group[.]html\r\nhttps://cy8[.]top/group[.]html\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 14 of 19\n\nhttps://7uspin[.]us/group[.]html\r\nhttps://seven7[.]to/group[.]html\r\nhttps://4kgame[.]us/group[.]html\r\nhttps://share[.]7p[.]game/group[.]html\r\nhttps://www[.]appstoreconn[.]com/xmweb/group[.]html\r\nhttps://k96[.]icu/group[.]html\r\nhttps://7fun[.]icu/group[.]html\r\nhttps://n49[.]top/group[.]html\r\nhttps://98a[.]online/group[.]html\r\nhttps://spin7[.]icu/group[.]html\r\nhttps://t7c[.]icu/group[.]html\r\nhttps://7p[.]game/group[.]html\r\nhttps://lddx3z2d72aa8i6[.]xyz/group[.]html\r\nhttps://anygg[.]liquorfight[.]com/88k4ez/group[.]html\r\nhttps://goanalytics[.]xyz/88k4ez/group[.]html\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 15 of 19\n\nhttp://land[.]77bingos[.]com/88k4ez/group[.]html\r\nhttps://land[.]bingo777[.]now/88k4ez/group[.]html\r\nhttp://land[.]bingo777[.]now/88k4ez/group[.]html\r\nhttp://land[.]777bingos[.]xyz/88k4ez/group[.]html\r\nhttps://btrank[.]top/tuiliu/group[.]html\r\nhttps://dd9l7e6ghme8pbk[.]xyz/group[.]html\r\nhttps://res54allb[.]xn--xkrsa0078bd6d[.]com/group[.]html\r\nhttps://fxrhcnfwxes90q[.]xyz/group[.]html\r\nhttps://kanav[.]blog/group[.]html\r\nhttps://3v5w1km5gv[.]xyz/group[.]html\r\nPLASMAGRID C2 domains\r\nvvri8ocl4t3k8n6.xyz\r\nrlau616jc7a7f7i.xyz\r\nol67el6pxg03ad7.xyz\r\n6zvjeulzaw5c0mv.xyz\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 16 of 19\n\nztvnhmhm4zj95w3.xyz\r\nv2gmupm7o4zihc3.xyz\r\npen0axt0u476duw.xyz\r\nhfteigt3kt0sf3z.xyz\r\nxfal48cf0ies7ew.xyz\r\nyvgy29glwf72qnl.xyz\r\nlk4x6x2ejxaw2br.xyz\r\n2s3b3rknfqtwwpo.xyz\r\nxjslbdt9jdijn15.xyz\r\nhui4tbh9uv9x4yi.xyz\r\nxittgveqaufogve.xyz\r\nxmmfrkq9oat1daq.xyz\r\nlsnngjyu9x6vcg0.xyz\r\ngdvynopz3pa0tik.xyz\r\no08h5rhu2lu1x0q.xyz\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 17 of 19\n\nzcjdlb5ubkhy41u.xyz\r\n8fn4957c5g986jp.xyz\r\nuawwydy3qas6ykv.xyz\r\nsf2bisx5nhdkygn3l.xyz\r\nroy2tlop2u.xyz\r\ngqjs3ra34lyuvzb.xyz\r\neg2bjo5x5r8yjb5.xyz\r\nb38w09ecdejfqsf.xyz\r\nYARA Rules\r\nrule G_Hunting_Exploit_MapJoinEncoder_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$s1 = /\\[[^\\]]+\\]\\.map\\(\\w\\s*=\u003e.{0,15}String\\.fromCharCode\\(\\w\\s*\\^\\s*(\\d+)\\).{0,15}\\.join\\(\"\"\r\n$fp1 = \"bot|googlebot|crawler|spider|robot|crawling\"\r\ncondition:\r\n1 of ($s*) and not any of ($fp*)\r\n}\r\nrule G_Backdoor_PLASMAGRID_Strings_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$ = \"com.plasma.appruntime.appdiscovery\"\r\n$ = \"com.plasma.appruntime.downloadmanager\"\r\n$ = \"com.plasma.appruntime.hotupdatemanager\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 18 of 19\n\n$ = \"com.plasma.appruntime.modulestore\"\r\n$ = \"com.plasma.appruntime.netconfig\"\r\n$ = \"com.plasma.bundlemapper\"\r\n$ = \"com.plasma.event.upload.serial\"\r\n$ = \"com.plasma.notes.monitor\"\r\n$ = \"com.plasma.photomonitor\"\r\n$ = \"com.plasma.PLProcessStateDetector\"\r\n$ = \"plasma_heartbeat_monitor\"\r\n$ = \"plasma_injection_dispatcher\"\r\n$ = \"plasma_ipc_processor\"\r\n$ = \"plasma_%@.jpg\"\r\n$ = \"/var/mobile/Library/Preferences/com.plasma.photomonitor.plist\"\r\n$ = \"helion_ipc_handler\"\r\n$ = \"PLInjectionStateInfo\"\r\n$ = \"PLExploitationInterface\"\r\ncondition:\r\n1 of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit?linkId=59478481" ], "report_names": [ "coruna-powerful-ios-exploit-kit?linkId=59478481" ], "threat_actors": [ { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9afc8590-8bb7-40d4-a709-c2db63a306d3", "created_at": "2026-03-06T02:00:03.100542Z", "updated_at": "2026-04-10T02:00:03.976614Z", "deleted_at": null, "main_name": "UNC6691", "aliases": [], "source_name": "MISPGALAXY:UNC6691", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5aec0b5-627c-445c-b41c-32ee81358344", "created_at": "2026-03-06T02:00:03.105841Z", "updated_at": "2026-04-10T02:00:03.977432Z", "deleted_at": null, "main_name": "UNC6353", "aliases": [], "source_name": "MISPGALAXY:UNC6353", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434129, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8463590cb5e4abc7c439e021b6397ec82003dd53.pdf", "text": "https://archive.orkl.eu/8463590cb5e4abc7c439e021b6397ec82003dd53.txt", "img": "https://archive.orkl.eu/8463590cb5e4abc7c439e021b6397ec82003dd53.jpg" } }