Skip to content
.ca
sign in
9 mincritical

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

Google Threat Intelligence Group discovered 'Coruna', a highly sophisticated iOS exploit kit containing 23 exploits that target iOS versions 13.0 through 17.2.1. Initially observed in use by a commercial surveillance vendor, the kit has since proliferated to state-sponsored and financially motivated threat actors to deploy PLASMAGRID, a payload designed to steal cryptocurrency wallets and financial data.

Sens:ImmediateConf:highAnalyzed:2026-03-03reports

Authors: Google Threat Intelligence Group (GTIG)

ActorsUNC6353UNC6691Commercial surveillance vendor customer
PLASMAGRIDCorunaUNC6691iOS Exploit KitUNC6353

Source:Mandiant

IOCs · 5

Key Takeaways

  • The Coruna iOS exploit kit targets Apple devices running iOS 13.0 through 17.2.1, utilizing 23 exploits across 5 full exploit chains.
  • The kit has proliferated across multiple distinct threat actors, including a commercial surveillance vendor, a suspected Russian espionage group (UNC6353), and a Chinese financially motivated actor (UNC6691).
  • The final payload, PLASMAGRID (PlasmaLoader), injects into the iOS 'powerd' daemon and is specifically designed to steal cryptocurrency wallets and sensitive financial data.
  • PLASMAGRID utilizes a custom Domain Generation Algorithm (DGA) seeded with the string 'lazarus' to generate 15-character .xyz domains for C2 fallback.
  • The exploit framework is highly sophisticated, featuring WebKit RCEs, PAC bypasses, sandbox escapes, and kernel exploitation, but bails out if the device is in Lockdown Mode.

Affected Systems

  • Apple iPhone models running iOS 13.0 up to 17.2.1

Vulnerabilities (CVEs)

  • CVE-2024-23222
  • CVE-2021-30952
  • CVE-2022-48503
  • CVE-2023-43000
  • CVE-2023-32409
  • CVE-2020-27932
  • CVE-2020-27950
  • CVE-2023-32434
  • CVE-2023-41974
  • CVE-2023-38606
  • CVE-2024-23225
  • CVE-2024-23296

Attack Chain

Victims are lured to compromised or fake websites where a hidden iFrame executes a JavaScript fingerprinting framework. If the device is vulnerable (iOS 13.0 - 17.2.1) and not in Lockdown Mode, the Coruna exploit kit delivers a WebKit RCE followed by PAC bypasses and sandbox escapes. The exploit chain culminates in kernel execution and the deployment of PLASMAGRID (PlasmaLoader), which injects into the root 'powerd' daemon. PLASMAGRID then downloads additional modules from its C2 to hook cryptocurrency applications and exfiltrate wallet data and seed phrases.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Google Threat Intelligence Group (GTIG)

The article provides YARA rules for hunting the Coruna JavaScript MapJoinEncoder and identifying PLASMAGRID backdoor strings in memory or on disk.

Detection Engineering Assessment

EDR Visibility: Low — iOS environments typically lack traditional EDR visibility, making on-device detection of WebKit exploitation and kernel-level injection extremely difficult without specialized mobile threat defense (MTD) solutions. Network Visibility: Medium — Network telemetry can identify connections to known malicious domains, DGA patterns (.xyz TLDs), and specific URI structures (e.g., /details/show.html), though traffic is HTTPS encrypted. Detection Difficulty: Hard — The exploit kit operates entirely in memory initially, bypasses multiple iOS mitigations, and uses encrypted payloads and DGA for C2, making it highly evasive.

Required Log Sources

  • DNS Logs
  • Web Proxy Logs
  • Mobile Device Management (MDM) Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for DNS requests to randomly generated 15-character .xyz domains, which may indicate the PLASMAGRID DGA fallback mechanism.DNS LogsCommand and ControlLow
Monitor web proxy logs for HTTP GET requests to URLs ending in '.min.js' accompanied by unusual user-agent strings or originating from unexpected iFrames.Web Proxy LogsExecutionMedium
Search for HTTP POST requests containing custom headers like 'sdkv' or 'x-ts' followed by a timestamp, indicating PLASMAGRID C2 communication.Web Proxy LogsCommand and ControlLow

Control Gaps

  • Lack of deep endpoint visibility on iOS devices
  • Inability to inspect encrypted C2 traffic without SSL decryption

Key Behavioral Indicators

  • 15-character .xyz domains
  • HTTP headers 'sdkv' or 'x-ts'
  • Custom file header 0xf00dbeef in network streams

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Update all iOS devices to the latest available version (iOS 17.3 or later).
  • Block known Coruna and PLASMAGRID IOCs (domains, URLs, IPs) at the network perimeter.

Infrastructure Hardening

  • Implement DNS filtering to block newly registered or suspicious .xyz domains.
  • Deploy Mobile Threat Defense (MTD) solutions to corporate iOS devices.

User Protection

  • Enable Lockdown Mode on iOS devices for high-risk users where immediate updating is not possible.
  • Restrict access to unverified cryptocurrency and financial websites on corporate devices.

Security Awareness

  • Educate users on the risks of visiting unverified financial or cryptocurrency websites.
  • Train users to recognize fake pop-ups urging them to access sites specifically from mobile devices.

MITRE ATT&CK Mapping

  • T1189 - Drive-by Compromise
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1068 - Exploitation for Privilege Escalation
  • T1055 - Process Injection
  • T1005 - Data from Local System
  • T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • T1119 - Automated Collection

Additional IOCs

  • Domains:
    • rlau616jc7a7f7i[.]xyz - PLASMAGRID C2 domain
    • ol67el6pxg03ad7[.]xyz - PLASMAGRID C2 domain
    • 6zvjeulzaw5c0mv[.]xyz - PLASMAGRID C2 domain
    • ztvnhmhm4zj95w3[.]xyz - PLASMAGRID C2 domain
    • v2gmupm7o4zihc3[.]xyz - PLASMAGRID C2 domain
    • pen0axt0u476duw[.]xyz - PLASMAGRID C2 domain
    • hfteigt3kt0sf3z[.]xyz - PLASMAGRID C2 domain
    • xfal48cf0ies7ew[.]xyz - PLASMAGRID C2 domain
    • yvgy29glwf72qnl[.]xyz - PLASMAGRID C2 domain
    • lk4x6x2ejxaw2br[.]xyz - PLASMAGRID C2 domain
    • 2s3b3rknfqtwwpo[.]xyz - PLASMAGRID C2 domain
    • xjslbdt9jdijn15[.]xyz - PLASMAGRID C2 domain
    • hui4tbh9uv9x4yi[.]xyz - PLASMAGRID C2 domain
    • xittgveqaufogve[.]xyz - PLASMAGRID C2 domain
    • xmmfrkq9oat1daq[.]xyz - PLASMAGRID C2 domain
    • lsnngjyu9x6vcg0[.]xyz - PLASMAGRID C2 domain
    • gdvynopz3pa0tik[.]xyz - PLASMAGRID C2 domain
    • o08h5rhu2lu1x0q[.]xyz - PLASMAGRID C2 domain
    • zcjdlb5ubkhy41u[.]xyz - PLASMAGRID C2 domain
    • 8fn4957c5g986jp[.]xyz - PLASMAGRID C2 domain
    • uawwydy3qas6ykv[.]xyz - PLASMAGRID C2 domain
    • sf2bisx5nhdkygn3l[.]xyz - PLASMAGRID C2 domain
    • roy2tlop2u[.]xyz - PLASMAGRID C2 domain
    • gqjs3ra34lyuvzb[.]xyz - PLASMAGRID C2 domain
    • eg2bjo5x5r8yjb5[.]xyz - PLASMAGRID C2 domain
    • b38w09ecdejfqsf[.]xyz - PLASMAGRID C2 domain
  • Urls:
    • hxxps://ai-scorepredict[[.]]com/static/analytics[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://m[[.]]pc6[[.]]com/test/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://ddus17[[.]]com/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://goodcryptocurrency[[.]]top/details/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://pepeairdrop01[[.]]com/static/analytics[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://osec2[[.]]668ddf[[.]]cc/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://pepeairdrop01[[.]]com/static/analytics[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://ios[[.]]teegrom[[.]]top/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://i[[.]]binaner[[.]]com/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://ajskbnrs[[.]]xn--jor0b302fdhgwnccw8g[[.]]com/gogo/list[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://sj9ioz3a7y89cy7[[.]]xyz/list[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://65sse[[.]]668ddf[[.]]cc/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://sadjd[[.]]mijieqi[[.]]cn/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://mkkku[[.]]com/static/analytics[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://dbgopaxl[[.]]com/static/goindex/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://w2a315[[.]]tubeluck[[.]]com/static/goindex/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://ose[[.]]668ddf[[.]]cc/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://cryptocurrencyworld[[.]]top/details/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://iphonex[[.]]mjdqw[[.]]cn/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://goodcryptocurrency[[.]]top/details/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://share[[.]]4u[[.]]game/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://26a[[.]]online/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://binancealliancesintro[[.]]com/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://4u[[.]]game/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://bestcryptocurrency[[.]]top/details/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://b27[[.]]icu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://h4k[[.]]icu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://so5083[[.]]tubeluck[[.]]com/static/goindex/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://seven7[[.]]vip/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://y4w[[.]]icu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://7ff[[.]]online/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://cy8[[.]]top/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://7uspin[[.]]us/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://seven7[[.]]to/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://4kgame[[.]]us/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://share[[.]]7p[[.]]game/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://www[[.]]appstoreconn[[.]]com/xmweb/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://k96[[.]]icu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://7fun[[.]]icu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://n49[[.]]top/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://98a[[.]]online/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://spin7[[.]]icu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://t7c[[.]]icu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://7p[[.]]game/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://lddx3z2d72aa8i6[[.]]xyz/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://anygg[[.]]liquorfight[[.]]com/88k4ez/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://goanalytics[[.]]xyz/88k4ez/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://land[[.]]77bingos[[.]]com/88k4ez/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://land[[.]]bingo777[[.]]now/88k4ez/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://land[[.]]bingo777[[.]]now/88k4ez/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxp://land[[.]]777bingos[[.]]xyz/88k4ez/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://btrank[[.]]top/tuiliu/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://dd9l7e6ghme8pbk[[.]]xyz/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://res54allb[[.]]xn--xkrsa0078bd6d[[.]]com/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://fxrhcnfwxes90q[[.]]xyz/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
    • hxxps://kanav[[.]]blog/group[[.]]html - UNC6691 URL delivering Coruna exploit kit
  • File Hashes:
    • 18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3 (SHA256) - PLASMAGRID module (com.apple.springboard)
    • 42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b (SHA256) - PLASMAGRID module (com.bitpie.wallet)
    • 0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495 (SHA256) - PLASMAGRID module (coin98.crypto.finance.insights)
    • 05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901 (SHA256) - PLASMAGRID module (org.toshi.distribution)
    • 10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c (SHA256) - PLASMAGRID module (exodus-movement.exodus)
    • 91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30 (SHA256) - PLASMAGRID module (im.token.app)
    • 721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780 (SHA256) - PLASMAGRID module (com.kyrd.krystal.ios)
    • 25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de (SHA256) - PLASMAGRID module (io.metamask.MetaMask)
    • be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9 (SHA256) - PLASMAGRID module (org.mytonwallet.app)
    • 3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541 (SHA256) - PLASMAGRID module (app.phantom)
    • 499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1 (SHA256) - PLASMAGRID module (com.skymavis.Genesis)
    • d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802 (SHA256) - PLASMAGRID module (com.solflare.mobile)
    • 4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd (SHA256) - PLASMAGRID module (com.global.wallet.ios)
    • d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a (SHA256) - PLASMAGRID module (com.tonhub.app)
    • 023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de (SHA256) - PLASMAGRID module (com.jbig.tonkeeper)
    • f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac (SHA256) - PLASMAGRID module (com.tronlink.hdwallet)
    • 1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0 (SHA256) - PLASMAGRID module (com.sixdays.trust)
    • 4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8 (SHA256) - PLASMAGRID module (com.uniswap.mobile)
  • File Paths:
    • /var/mobile/Library/Preferences/com.plasma.photomonitor.plist - PLASMAGRID photo monitor preference file referenced in YARA rule
  • Other:
    • lazarus - Seed string used for the custom Domain Generation Algorithm (DGA) to generate C2 domains
    • 0xf00dbeef - Custom file format header for binary payloads delivered by the exploit kit