Coruna is a multi-chain iOS exploit kit first seen in February 2025 that contains five exploit chains across 23 exploits targeting iOS 13–17.2.1 and has been observed in watering-hole and mass-deployed scam campaigns. Validin’s historical DNS and host-response analysis, plus YARA hunts, mapped extensive PLASMAGRID C2 and dropper infrastructure including Iran-themed lures and hundreds of suspected delivery domains. #Coruna #PLASMAGRID
Keypoints
- Coruna is a large iOS exploit kit (first seen Feb 2025) with five full exploit chains comprising 23 individual exploits targeting iOS 13–17.2.1.
- Initial discovery linked Coruna to a surveillance customer; it was later used in a July 2025 watering-hole campaign against Ukrainian websites and mass-deployed on Chinese scam/crypto sites.
- Validin mapped PLASMAGRID C2 infrastructure using historical DNS pivots, host response fingerprints (unique HTTP response SHA1s), and virtual host response timelines.
- YARA-based response hunts identified hundreds of suspected dropper domains, delivery URLs, and malicious iframes; lure themes included gambling, crypto, gaming, and newly-registered Iran-support pages.
- Distinct C2 response/banner hashes and recurring JS/init patterns (e.g., LaSDK.init and /51la-ll.js plus offscreen iframes) enabled expansion of related infrastructure.
- Indicators published include dozens of C2/dropper domains, delivery URLs, unique banner hashes, and example IP addresses that facilitate further threat hunting and takedown efforts.
MITRE Techniques
- [T1189 ] Drive-by Compromise – The exploit kit was delivered via compromised and lure websites in watering-hole and mass-scam pages (‘watering hole attack targeting a set of compromised Ukrainian websites’).
- [T1203 ] Exploitation for Client Execution – Multiple iOS exploit chains were used to gain code execution on iPhones (‘five full exploit chains across 23 individual exploits targeting iOS versions 13 through 17.2.1’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – Implants communicate with C2 over web protocols (HTTPS) and specific C2 endpoints were identified (e.g., ‘configuration and implant servers, and C2 communication’).
- [T1059.004 ] Command and Scripting Interpreter: JavaScript – Malicious JavaScript and SDK initialization calls orchestrated exploitation in the browser context (” and ‘LaSDK.init({ api: ‘https:///x’ })’).
Indicators of Compromise
- [Domain ] delivery and C2/dropper domains – ai-scorepredict[.]com, fgr1w2gnsdvsb[.]xyz, and 200+ other suspected delivery/C2 domains.
- [IP Address ] historic resolution and hosting – 119.8.238[.]183, 203.168.129[.]71 (used to pivot to overlapping domains), and other related IPs such as 156.254.5[.]4.
- [URL ] exploit delivery and C2 endpoints – https[:]//ai-scorepredict[.]com/static/analytics.html, https[:]//fgr1w2gnsdvsb[.]xyz/x, https[:]//remotexxxyyy[.]com/static/analytics.html, and other malicious iframe/delivery URLs.
- [Banner/File Hash ] unique host/Cloudflare response hashes used as fingerprints – a205ca801f41dcb4d2ad4fa82b50c651, e3bc53583ac3a7fcd2ee923dce3fe280, and several other banner hashes used to identify PLASMAGRID C2 servers.
- [File / Path Names ] JavaScript and iframe indicators observed in responses – /51la-ll.js, /static/analytics.html (iframe path) and other scripted dropper artifacts.
Read more: https://www.validin.com/blog/aye_coruna_ios_exploit_kit_c2/