# Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant
**[volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/](https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/)**
April 21, 2020
by Andrew Case, Dave Lassalle, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
[In September 2019, Volexity published Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs, which described a series of](https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/)
attacks against Uyghurs from multiple Chinese APT actors. The most notable threat actor detailed in the blog was one Volexity calls Evil Eye.
The Evil Eye threat actor was observed launching an exploit aimed at installing a malware implant on Android phones. Volexity also believed
[this was likely the same group responsible for the launching exploits aimed at installing an iOS implant as described by Google's Project Zero.](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html)
Immediately after the publications from Google and Volexity, the Evil Eye threat actor went fairly quiet. They removed their malicious code from
compromised websites, command and control (C2) servers were taken down, and various hostnames stopped resolving. This largely remained
the case until early January 2020, when Volexity observed a series of new activity across multiple previously compromised Uyghur websites.
[In the latest activity identified by Volexity, the Evil Eye threat actor used an open source framework called IRONSQUIRREL to launch their](https://github.com/MRGEffitas/Ironsquirrel)
exploit chain. The exploits used targeted Apple iOS operating systems leveraging a vulnerability in WebKit that appears to have been patched
in the summer of 2019. The exploit works against iOS versions 12.3, 12.3.1, and 12.3.2. These versions of iOS are newer than anything
mentioned in the Google Project Zero blog, or any other recently published reports involving weaponized exploits that can be used remotely
against iPhones or iPads. If the exploit is successful, a new version of the implant described by Google will be installed onto the device.
Volexity refers to this implant by the name INSOMNIA.
Volexity observed multiple different attacks where this implant was being installed on iOS devices. This includes six different exploit websites;
five instances of the malware implant; three different C2 IP and port pair combination; and two unique C2 IP addresses. Each of the observed
exploit sites and malware C2 servers are detailed in Appendix A below.
## Targeting Website Visitors
The Evil Eye actor set up IRONSQUIRREL code to be loaded in a variety of different ways through malicious iframes across the various
compromised websites. Volexity observed a total of six different hostnames being used to launch attacks between January and March 2020.
While the first round of attacks were identified across several websites, future attacks were only observed in conjunction with the Uyghur
Academy website. The attacks were largely loaded in fairly standard ways, such as via an iframe on a website's index, a modified JavaScript
file used by the website, or nested iframes—which was the case on the Uyghur Academy website. The code below has been on the main
index of the Uyghur Academy website for several months. The "JPlayer.html" file appears to be exclusively used by the Evil Eye actor when
they want to launch attacks against visitors to the website. Otherwise, the file is either deleted or emptied out when not in use.
In the first observed example of this iOS exploit actvity, the following code was observed inside Jplayer.html.
-----
a e s c ttps //cd doub esc c [ ] e/ de t dt 0 e g t 0 / a e
The most notable method of loading the code was via an iframe that was observed on the Chinese-language version of the Uighur Times
website. The following code was observed.