Skip to content
.ca
sign in
8 mincritical

Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit

A supply chain attack compromising the widely-used npm package 'art-template' was discovered delivering the Coruna exploit kit to iOS devices. The injected JavaScript acts as a sophisticated watering hole framework, utilizing extensive anti-bot fingerprinting and WebAssembly memory probes to deliver version-specific WebKit RCE exploits targeting Safari on iOS 11.0 through 17.2.

Sens:ImmediateConf:highAnalyzed:2026-05-22Google

Authors: Joseph Edwards

ActorsUNC6691Coruna Exploit Kit
iOSCorunanpmSupply ChainWebKit

Source:Socket

IOCs · 30

Detection / HunterGoogle

What Happened

A popular software building block called 'art-template' was secretly taken over by hackers to attack iPhone users. When developers used the compromised building block, it silently added malicious code to their websites. If an iPhone user visited one of these affected websites using Safari, the site would check their iOS version and attempt to hack the device using known vulnerabilities. This attack specifically targets older iPhones running iOS 11.0 to 17.2, while ignoring fully updated devices. Organizations should ensure their iPhones are updated to iOS 17.3 or later, and developers should check their projects for the compromised 'art-template' versions.

Key Takeaways

  • A compromised npm package, 'art-template' (versions 4.13.5 and 4.13.6), was used to deliver the Coruna iOS exploit kit via a supply chain attack.
  • The malicious JavaScript implant targets Safari on iOS 11.0 through 17.2, explicitly ignoring other browsers, operating systems, and iOS 17.3+.
  • The implant uses five layers of anti-bot fingerprinting, including WebAssembly memory probes, to verify vulnerable JIT compiler paths before delivering exploits.
  • Payload modules are fetched dynamically using a content-addressed URL scheme based on a session key, hiding the exploit chains from scanners.
  • The campaign is attributed with high confidence to UNC6691, a financially-motivated threat actor.

Affected Systems

  • S
  • a
  • f
  • a
  • r
  • i
  • o
  • n
  • i
  • O
  • S
  • 1
  • 1
  • .
  • 0
  • t
  • h
  • r
  • o
  • u
  • g
  • h
  • i
  • O
  • S
  • 1
  • 7
  • .
  • 2
  • .
  • T
  • h
  • e
  • e
  • x
  • p
  • l
  • o
  • i
  • t
  • e
  • x
  • p
  • l
  • i
  • c
  • i
  • t
  • l
  • y
  • r
  • e
  • j
  • e
  • c
  • t
  • s
  • i
  • O
  • S
  • 1
  • 7
  • .
  • 3
  • ,
  • C
  • h
  • r
  • o
  • m
  • e
  • ,
  • F
  • i
  • r
  • e
  • f
  • o
  • x
  • ,
  • E
  • d
  • g
  • e
  • ,
  • a
  • n
  • d
  • A
  • n
  • d
  • r
  • o
  • i
  • d
  • .

Vulnerabilities (CVEs)

  • CVE-2021-30952
  • CVE-2022-48503
  • CVE-2023-43000
  • CVE-2024-23222

Attack Chain

The attack begins with the compromise of the 'art-template' npm package, which injects a malicious script loader into downstream web applications. When a user visits an affected site, they are redirected to a watering hole that serves a JavaScript implant targeting iOS Safari. The implant beacons device information to a C2 server and runs extensive anti-bot fingerprinting, including WebAssembly memory probes, to verify the device is a real, vulnerable iPhone. Once verified, it dynamically fetches and executes version-specific WebKit RCE exploit chains from the Coruna exploit kit to compromise the device.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Google Threat Intelligence Group (GTIG)

The article references a YARA rule published by Google Threat Intelligence Group (GTIG) designed to detect the Coruna delivery framework based on its specific XOR obfuscation patterns.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily occurs within the iOS Safari browser sandbox using JavaScript and WebAssembly, where traditional endpoint EDR visibility is highly restricted or non-existent. Network Visibility: High — The implant relies heavily on network beacons, dynamic module fetching via specific URL patterns, and C2 communication, which can be observed in web proxy and DNS logs. Detection Difficulty: Moderate — While endpoint visibility is low, the network indicators (specific URL path patterns, campaign codes in POST bodies, and predictable beaconing intervals) provide solid detection opportunities if SSL inspection or proxy logs are available.

Required Log Sources

  • Web Proxy Logs
  • DNS Query Logs
  • Network Flow Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for web proxy logs showing a GET request to ipv4.icanhazip.com followed within 2 seconds by a POST request to an unrecognized API endpoint, indicating the implant's beaconing behavior.Web Proxy LogsCommand and ControlLow
Consider hunting for HTTP POST requests containing the string 'CHMK6IG08F42496C22' in the body, which is a definitive campaign tracking code.Web Proxy Logs / DLPCommand and ControlLow
Consider hunting for URL paths containing the prefix 'cecd08aa6ff548c2' followed by a 40-character hex string, indicating dynamic module fetching.Web Proxy LogsExecutionLow

Control Gaps

  • Lack of EDR visibility into iOS Safari WebKit processes.
  • Inability to inspect encrypted HTTPS traffic without SSL decryption.

Key Behavioral Indicators

  • GET requests to .cfww.shop/*.js from an iOS User-Agent.
  • Sequential requests to an IP oracle followed by a POST to a .xyz domain.

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider blocking the domain l1ewsu3yjkqeroy[.]xyz and cfww[.]shop (including subdomains) at your DNS or web proxy.
  • Evaluate your codebase and dependencies for the presence of art-template versions 4.13.5 or 4.13.6 and roll back to a known safe version if found.

Infrastructure Hardening

  • If applicable, deploy MDM policies restricting Safari from loading third-party scripts on unmanaged domains for iOS devices.
  • Consider enforcing Safe Browsing on all managed iOS devices.

User Protection

  • Ensure all corporate iOS devices are updated to iOS 17.3 or later to mitigate the targeted WebKit vulnerabilities.

Security Awareness

  • Remind developers of the risks associated with npm supply chain attacks and the importance of pinning dependency versions.

MITRE ATT&CK Mapping

  • T1189 - Drive-by Compromise
  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1082 - System Information Discovery
  • T1204.001 - User Execution: Malicious Link
  • T1068 - Exploitation for Privilege Escalation

Additional IOCs

  • Domains:
    • cfww[[.]]shop - Domain family used for bulk-registered watering holes.
  • Urls:
    • hxxps://v3[.]jiathis[.]com/code/jia.js?uid=artemplate - Malicious script injected by art-template@4.13.5.
    • hxxps://v3[.]jiathis[.]com/code/art.js - Malicious script injected by art-template@4.13.6.
    • hxxps://utaq[.]cfww[.]shop/gooll/gooll.html - Landing page embedding the Coruna implant.
  • File Hashes:
    • 8064d4e0322f069b3dba13e7957ff0ca7dab7984 (SHA1) - SHA-1 hash of the implant entry point.
    • 6e79ae622b7ef30f31fdbcc2dc65339e (MD5) - MD5 hash of the implant entry point.
    • 080da430f7e3a38d7cad59887df30d9ac40e70d203c7aa5f5afaf0cafcb73e5f (SHA256) - iOS 11.0-15.1 WASM loader module.
    • b0b29b6148c4b0dbd77d33f821ca01e2d7a711988b854285a2606dcc53894abe (SHA256) - iOS 15.2-15.5 WASM loader module.
    • 593548d714f6d48acb886d42bf576d8fd6b1ddae6f888dda0719671a53463663 (SHA256) - iOS 15.6-16.1 WASM loader module.
    • 2c4a5a49a84f55db0dd5554f7a9e055dbb0eae3782986726c6dcfab84ecd6dc5 (SHA256) - iOS 16.2-16.5 WASM loader module.
    • eaab0874332777ad8a03a292bcd608a3358547f9f16ab551d34eef35d5cd539e (SHA256) - iOS 16.6-17.2 WASM loader module (primary).
    • feb9442c39619d7bb3ff29de8e1d4bebceb1b24f8c0a63da2f2b30a1023dc94f (SHA256) - Shared crypto init module.
    • 473f182b8cbbdb5b4b29b7ad875014d66f1691ed2e770c633b559d97243895a7 (SHA256) - iOS crypto getter (wF8NpI).
    • 329ae1401819da4f87e3726b7e2707afcaf62d1219c4256c828df36af0a8784a (SHA256) - iOS crypto getter (LJ1EuL).
    • 7b8436669563e7d317c219b26432bdaab70e39061ea2c1c70fcc201f2c19c470 (SHA256) - Desktop WebKit crypto getter.
    • de1a07d8978725eaa6da5658e373e88264ac90515750201bfbe17947d5a9e788 (SHA256) - Non-Safari WebKit crypto getter.
    • 675a40df5f517f8f0cd99f74c5468f56d1d8f05003e997477a2af3bc7b0105a9 (SHA256) - Fallback crypto getter.
    • 2cfa14b2cd1f3fd51406cf1ac49c761a5c26ce3994e97de7f1ca469d85248a52 (SHA256) - Final action, WASM-verified path.
    • ebcc76dcd5ef596e732321a8d16eb2dee525c5d9a68c700b7885648c13c65a57 (SHA256) - Final action, primary path (all standard iPhones).
    • 5c0ebd86d2e8ae2087c0a4def4e0364a0cfb85c7e0a753fc96dca55b6c303432 (SHA256) - WASM ABI sub-module.
  • Other:
    • cecd08aa6ff548c2 - Session key present in all remote module GET request paths.
    • CHMK6IG08F42496C22 - Campaign tracking code found in beacon POST body.
    • 1DECX7UIQIB43 - Secondary campaign tracking code declared in the implant.
    • 7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.min.js - Self-registered name of the implant decoded from uint32 packer.

Related