The kit that changed hands three times in one year
In early 2025, a customer of an unnamed commercial surveillance vendor was observed using a previously unknown JavaScript exploit framework against iOS devices. By July 2025, the same framework had been picked up by a suspected Russian espionage group and was being silently injected into Ukrainian industrial and retail websites as a hidden iframe. By December 2025, it was in the hands of a financially motivated Chinese threat actor, deployed across a network of fake cryptocurrency and gambling sites with no geographic restrictions, targeting any iPhone user who clicked the wrong link.
Google's Threat Intelligence Group (GTIG) publicly named this framework Coruna (also tracked as CryptoWaters) on March 4, 2026. It contains five complete iOS exploit chains and 23 individual exploits spanning iOS 13 through 17.2.1. iVerify called it "the first observed mass exploitation against iOS devices" and noted structural similarities to tools developed by U.S. government-affiliated threat actors.
We obtained live samples from active delivery domains and analysed every layer of the JavaScript. What follows is a detailed account of what this kit actually does, from the first line of obfuscated code to the encrypted Mach-O binary dropped on the victim's device, together with a full infrastructure analysis of the domains and IPs involved.
The delivery problem: why your website is the attack surface
Before getting into the exploit mechanics, it is worth being precise about what "delivery" means here, because it is the part most organisations have not thought through.
Coruna is delivered as a self-contained HTML file, typically named group.html or analytics.html, embedded as a hidden <iframe> within a web page. The iframe has zero dimensions. It is invisible. It requires no user interaction beyond the page loading. The exploit runs entirely in the browser, in JavaScript, and completes in seconds.
In the campaigns we analysed, the delivery pages were hosted on attacker-controlled domains: fake crypto platforms, gambling sites, bingo lures. But the kit does not care where it is hosted. It is a self-contained payload that can be injected anywhere a JavaScript tag can be placed. That means the realistic delivery vectors extend far beyond attacker-owned infrastructure.
Ad networks. A single malicious creative served through a programmatic ad network reaches every publisher running that network's tag. The publisher's server never touches the payload. The publisher's WAF never sees it. The publisher's security team has no visibility into what the ad tag loaded in the user's browser. If Coruna had been distributed through a mid-tier ad network, it would have reached millions of Safari users across thousands of legitimate, reputable websites simultaneously. None of those publishers would have known.
Compromised third-party scripts. The average e-commerce or media site loads 30 to 50 third-party JavaScript tags: analytics, chat widgets, A/B testing tools, affiliate trackers, consent managers. Each of those scripts is a potential injection point. A supply chain compromise of any one of them, of the kind seen repeatedly in Magecart campaigns and the polyfill[.]io incident, could have turned every site using that script into a Coruna delivery node. Again, the origin server would show nothing unusual. The payload executes in the user's browser and reports back to a C2 domain the publisher has never heard of.
Cached CDN assets. Several of the delivery URLs we identified were served from shared CDN infrastructure (tubeluck[.]com, 668ddf[.]cc). An attacker with write access to a CDN origin bucket, or the ability to poison a CDN cache, achieves the same result.
The point is not that these specific vectors were used. The point is that nothing about the Coruna payload requires the attacker to own the delivery site. The payload is a JavaScript file. It goes wherever JavaScript goes. And JavaScript goes everywhere.
How it reaches the browser: delivery infrastructure
The campaigns we analysed used more than 50 delivery domains, organised into recognisable lure themes.
| Cluster | Representative domains | Lure theme |
|---|---|---|
| 668ddf[.]cc CDN | osec2[.]668ddf[.]cc, 65sse[.]668ddf[.]cc, ose[.]668ddf[.]cc | Chinese shared hosting |
| Gaming / gambling | 7p[.]game, 4u[.]game, b27[.]icu, h4k[.]icu, spin7[.]icu, seven7[.]vip | Online gambling |
| Bingo lures | land[.]77bingos[.]com, land[.]bingo777[.]now, land[.]777bingos[.]xyz | Bingo gambling |
| Crypto lures | goodcryptocurrency[.]top, binancealliancesintro[.]com, pepeairdrop01[.]com | Cryptocurrency |
| Tubeluck CDN | w2a315[.]tubeluck[.]com, so5083[.]tubeluck[.]com | Shared CDN infrastructure |
| Analytics lures | ai-scorepredict[.]com, goanalytics[.]xyz | Fake analytics pages |
Many of these sites explicitly instruct users to visit from a mobile device for a "better experience," a social engineering nudge to ensure the target opens the page in Safari on iOS rather than a desktop browser.
Infrastructure analysis: DNS, rDNS, WHOIS, and hosting
We conducted full DNS resolution, reverse DNS lookups, WHOIS/RDAP registration queries, and IP pivots across all delivery and C2 domains. The results reveal a deliberate infrastructure strategy: abuse of major cloud CDNs to hide the real origin, a small number of dedicated IPs for the most sensitive lure sites, and registration patterns that cluster tightly around late 2025 and early 2026.
Hosting breakdown
The delivery infrastructure breaks into four distinct hosting tiers.
Tier 1: Cloudflare proxy. The bulk of the gambling and gaming delivery domains, including 7p[.]game, b27[.]icu, h4k[.]icu, spin7[.]icu, 7ff[.]online, 26a[.]online, tubeluck[.]com, ai-scorepredict[.]com, and dbgopaxl[.]com, all resolve to Cloudflare anycast IPs. Cloudflare provides DDoS protection, TLS termination, and effective origin IP concealment. The real backend servers are not visible from DNS.
Tier 2: AWS CloudFront. A second large cluster uses AWS CloudFront as a CDN layer. Domains including 4u[.]game, seven7[.]vip, seven7[.]to, 4kgame[.]us, 7uspin[.]us, n49[.]top, 98a[.]online, cy8[.]top, 7fun[.]icu, k96[.]icu, t7c[.]icu, y4w[.]icu, and the bingo cluster (land[.]77bingos[.]com, land[.]bingo777[.]now, land[.]777bingos[.]xyz) all resolve to CloudFront edge nodes. The bingo cluster shares a single set of four CloudFront IPs, indicating they are served from the same distribution and likely the same S3 or EC2 origin.
Tier 3: Dedicated IPs on abuse-tolerant hosting. The most operationally significant finding is the use of dedicated IPs on hosting providers with a history of abuse tolerance for the most sensitive lure sites. cryptocurrencyworld[.]top and bestcryptocurrency[.]top share a single dedicated IP: 95.214.181.109, registered to Datacamp Limited in Hong Kong (AS212238), a well-documented bulletproof hosting provider. These two domains are the only ones on that IP. mkkku[.]com resolves to 185.53.179.128 (Team Internet AG, Germany). Reverse DNS on that IP surfaced seven additional gambling domains on the same server: bet247[.]ac, gem88[.]ac, gemwin[.]ac, gunbet[.]ac, i9-bet[.]ac, sbet[.]ac, and taisunwin[.]ac, all consistent with the broader Coruna delivery theme. btrank[.]top resolves to a dedicated AWS EC2 instance in Tokyo (54.248.167.86). ddus17[.]com resolves to 103.110.221.8 (JT Telecom International, Japan) with no co-hosted domains, consistent with a dedicated server.
Tier 4: China Unicom. pc6[.]com, a large Chinese software download portal listed among the delivery URLs, resolves to nine IPs across China Unicom's backbone (AS4837). The reverse DNS pivots on these IPs returned hundreds of co-hosted domains each, all with Chinese-language names and .cn, .cc, and .cloud TLDs. This is consistent with a large shared hosting environment. The pc6[.]com delivery URL likely represents a compromised page on an existing legitimate site rather than attacker-owned infrastructure.
WHOIS registration timeline
RDAP registration data was successfully retrieved for a subset of delivery domains. The dates cluster tightly, confirming a coordinated registration campaign.
| Domain | Registered | Registrar | Name servers |
|---|---|---|---|
| ai-scorepredict[.]com | 2026-01-29 | Ultahost, Inc. | Cloudflare |
| pepeairdrop01[.]com | 2026-01-25 | Realtime Register B.V. | Suspended (verification hold) |
| binancealliancesintro[.]com | 2026-01-01 | GoDaddy.com, LLC | GoDaddy (ns37/ns38.domaincontrol.com) |
| mkkku[.]com | 2026-01-18 | Dynadot Inc | Dynadot (dyna-ns.net) |
| ddus17[.]com | 2026-01-23 | Hello Internet Corp | JT DNS (jtdnsv1.com) |
| appstoreconn[.]com | 2025-12-23 | Cloudflare, Inc. | Cloudflare |
| tubeluck[.]com | 2025-12-18 | Cloudflare, Inc. | Cloudflare |
| 77bingos[.]com | 2025-11-29 | NameCheap, Inc. | AWS Route 53 |
| dbgopaxl[.]com | 2024-04-07 | Cloudflare, Inc. | Cloudflare |
All confirmed registration dates fall between November 2025 and January 2026, a 10-week window that aligns with the campaign's observed escalation from targeted espionage to mass financial exploitation. pepeairdrop01[.]com is currently suspended by its registrar for failing domain verification, indicating active takedown pressure. dbgopaxl[.]com is an outlier registered in April 2024, suggesting it is either a pre-positioned asset or a compromised legitimate domain repurposed for the campaign.
The C2 domains (the 27 DGA-generated .xyz domains) returned 404 errors from the RDAP server, meaning they have either been deleted from the registry or were never registered under a standard RDAP-queryable path. This is consistent with their role as short-lived, algorithmically generated fallback domains that are registered and discarded on a rolling basis.
Certificate transparency
Certificate transparency logs provide an independent registration timeline for domains that use HTTPS. Key findings: b27[.]icu issued its first TLS certificate on 2025-06-01 (Amazon CA), confirming the domain was active at least six months before the campaign's peak. 7p[.]game first appeared in CT logs on 2024-03-21 (GoDaddy CA), the oldest in the delivery set, suggesting it is a long-running gambling operation that adopted Coruna delivery rather than a purpose-built lure site. ai-scorepredict[.]com issued its first certificate on 2026-01-29, the same day as its RDAP registration date, confirming it was purpose-built for this campaign. tubeluck[.]com first appeared in CT logs in 2019, the oldest in the entire dataset, indicating it is a long-established CDN or hosting service the operator is using as infrastructure.
C2 domain infrastructure
All 27 DGA-generated C2 domains currently return no DNS A records. Two domains (vvri8ocl4t3k8n6[.]xyz and rlau616jc7a7f7i[.]xyz) had URLScan entries from March 4, 2026, the day of the GTIG disclosure, with both resolving to Cloudflare IPs at that time. This confirms the C2 infrastructure was live and Cloudflare-fronted at the time of disclosure and has since been taken down or rotated.
Four layers of obfuscation before you see a single exploit
Opening the delivery page in a text editor reveals nothing useful. The Coruna framework uses a four-layer obfuscation architecture designed to defeat static analysis and automated sandboxes.
Layer 0: the outer bootstrap
The delivery HTML contains a minimal JavaScript bootstrap. Every meaningful string is hidden as an array of integers XOR-decoded at runtime:
[107, 49, 105, 97].map(x => String.fromCharCode(x ^ 84)).join("")The XOR key varies per string, so there is no single pattern to match across the file. The core logic is hidden inside new Function(atob("..."))()`: a Base64-encoded string evaluated as a new function, keeping the real code out of the initial parse tree and out of most static scanners.
Layer 1: the module dispatcher
The Base64-decoded Layer 1 is a JavaScript object registered as globalThis.vKTo89. It contains a full SHA-256 implementation and a lookup table of exploit modules keyed by their SHA1 hashes. The dispatcher exposes five API functions:
| Function | Purpose |
|---|---|
WLEBfI(url) |
Sets the base URL for remote module fetching |
ksQccv(salt) |
Sets the HMAC salt for module filename derivation |
OLdwIx(hash) |
Loads a module by SHA1 hash from the local cache |
LBrh4t(hash) |
Fetches and executes a remote module asynchronously |
tI4mjA(hash, b64) |
Registers an inline module by hash and Base64 code |
The LBrh4t function implements a keyed module delivery protocol. Given a module hash ID, it computes SHA256(salt + hash_id).substring(0, 40) and fetches the resulting filename from the server. The salt observed in the analysed samples is cf40de81867d2397. Without knowing the salt, an analyst cannot predict which filenames to request, even knowing the module hash IDs. The base URL is derived from location.href.slice(0, lastIndexOf("/") + 1), meaning all exploit modules are served from the same domain as the delivery page.
Layer 2: module code
Each module is stored as a Base64-encoded string. When decoded, the module JavaScript continues to use XOR-encoded string arrays for all sensitive literals: framework paths, API names, memory addresses, version constants.
Layer 3: inline binary payloads
The largest modules embed their binary payloads as Base64-encoded strings within the JavaScript. The ARM64 shellcode is stored as raw binary. The Mach-O binary is stored with each byte zero-padded to two bytes (UTF-16LE encoding), providing an additional layer of obfuscation against binary signature detection.
Anti-analysis measures
The framework implements several active anti-analysis checks before running any exploit code. It aborts if Apple's Lockdown Mode is detected. It skips execution in private browsing mode. It verifies a real WebKit rendering engine is present by creating a <math> element and checking that mathcolor="blue" renders as rgb(0, 0, 255). It checks for RTCPeerConnection availability to confirm a genuine browser environment rather than a headless sandbox. After execution, it reports the outcome to the C2 via a GET request to <base_url>?e=<code>, where 0 means success, 1000 means exploit failure, 1001 means the target version is not supported, and 1003 means a sandbox was detected.
The exploit chain: six phases from page load to Mach-O
Phase 1: target fingerprinting
The fingerprinting module runs first and determines whether the target is worth attacking and which exploit chain to use. The script checks the User-Agent string for Version/ (present in all Safari UAs) and AppleWebKit/. If neither is found, execution stops immediately. It then distinguishes iOS from macOS Safari using a combination of typeof TouchEvent !== "undefined" and an IndexedDB Blob insertion test: attempting to store a Blob object in IndexedDB throws the exception "BlobURLs are not yet supported" on iOS Safari, which serves as a reliable platform fingerprint.
The most technically sophisticated part of the fingerprinting is a WebAssembly memory oracle. The script instantiates a WebAssembly.Table and a WebAssembly.Instance, then reads the internal JSC (JavaScriptCore) cell type tags from memory. The tag value 0x10016 indicates macOS Safari; 0x10017 indicates iOS Safari. This technique reads JavaScriptCore's internal object representation directly from memory, requiring intimate knowledge of WebKit's source code. The iOS version is extracted from the User-Agent and compared against a lookup table of 19 known iOS versions (10.0.0 through 17.0.0) and 13 macOS Safari versions, with separate exploit paths selected for iOS 13 to 15.x and iOS 16.x and above.
Phase 2: remote code execution via JIT type confusion (CVE-2024-23222)
The primary exploit chain in the samples we analysed is cassowary, targeting CVE-2024-23222, a type confusion bug in JavaScriptCore patched by Apple in January 2024 with iOS 17.3.
The exploit begins by calling a function exactly 1,000,000 times with floating-point arguments. This forces the JSC JIT compiler to specialise the function for float array operations, generating optimised machine code that assumes every array element will always be a double-precision float. Once JIT compilation has occurred, the exploit replaces one element of the target array with a JavaScript object instead of a float. The JIT-compiled code reads this value as a float, interpreting the object's pointer as a 64-bit double. This is the type confusion: JSObject* is being treated as double. By reading back the confused float value, the exploit recovers the object's address in the JSC heap. This is the addrof primitive.
The reverse operation, writing a crafted float into the array, causes JSC to interpret the double as an object pointer, creating a fakeobj primitive pointing to attacker-controlled memory. Using addrof and fakeobj together, the exploit constructs a fake ArrayBuffer object whose backing store pointer is set to an arbitrary address. Reading or writing through this fake ArrayBuffer provides full arbitrary process memory read/write. The exploit stabilises this primitive using heap spraying with 16-element arrays of specific float values and a custom 64-bit integer abstraction class.
Phase 3: defeating ASLR via dyld shared cache scanning
With arbitrary read/write established, the exploit scans process memory for the dyld shared cache to defeat ASLR. On iOS, it locates WebCore, CoreUtils, and IOKit by scanning for their __TEXT segment headers. On macOS, it targets CoreFoundation, CoreGraphics, ActionKit, and RESync. The exploit reads the __TEXT segment headers of each framework to determine their load addresses, and locates _ZN3JSC16jitOperationListE to find JIT-allocated executable memory regions.
Phase 4: escaping the sandbox
The sandbox escape module combines two techniques. An SVG <feConvolveMatrix> filter exploit corrupts memory in the WebKit compositor process, allowing the exploit to escape the renderer sandbox. Simultaneously, the exploit uses pthread_main_thread_np, a private macOS and iOS API, to manipulate thread-local storage and gain access to the main thread's execution context, which carries broader system privileges than the renderer thread.
Phase 5: bypassing pointer authentication on Apple Silicon
On Apple Silicon devices, every iPhone since the XR and every M-series Mac, the exploit must defeat Pointer Authentication Codes (PAC), Apple's hardware-enforced control-flow integrity mechanism. The macOS stager module contains the following JSC internal C++ symbols:
_ZN3JSC20SecureARM64EHashPins27allocatePinForCurrentThreadEv
_ZN3JSC10LinkBuffer8linkCodeERNS_14MacroAssemblerENS_20JITCompilationEffortE
_ZN3WTF13MetaAllocator8allocateEmPv
jitCagePtrThe exploit abuses jitCagePtr and SecureARM64EHashPins to allocate executable memory within the JIT cage and sign the ARM64 shellcode with a valid PAC signature, allowing unsigned native code to execute on PAC-enforced hardware. The technique allocates 40 MB of memory with new Uint32Array(10000000) and fills JIT memory with predictable patterns using a JIT spray of repeated x += 1 statements.
Phase 6: shellcode execution and payload delivery
The final stager modules contain three embedded binary components:
| Component | Size | Format | Purpose |
|---|---|---|---|
| ARM64 shellcode | 31,308 bytes | Raw binary | Stage-1 native code execution |
| Encrypted Mach-O | 14,954 bytes | UTF-16LE padded binary | Stage-2 native binary |
| PlasmaLoader | ~1,324 bytes (encrypted) | Fetched .min.js |
Final implant |
The ARM64 shellcode begins with the standard function prologue STP X29, X30, [SP, #-16]! and is injected into JIT-allocated executable memory. It uses dlsym against /usr/lib/system/libdyld.dylib to resolve system functions at runtime, avoiding static imports. The Mach-O binary references private iOS frameworks including SpringBoard, PassKitCore, CoreML, MediaToolbox, and AppleMediaServices, indicating system-level capability: keychain access, installed app enumeration, and home screen manipulation. The final payload, PlasmaLoader (also called PLASMAGRID by Google GTIG), is fetched from the delivery domain as an encrypted .min.js file. It decodes QR codes from images, fetches additional modules from C2, and exfiltrates cryptocurrency wallet data from MetaMask, Exodus, Bitget Wallet, and Base.
Twenty-three exploits, five chains, four years of CVEs
The cassowary chain is one of twelve named exploit chains within Coruna. The full kit covers iOS 13 through 17.2.1 with no gaps.
| Chain | CVE | iOS versions targeted | Exploit type |
|---|---|---|---|
| Neutron | CVE-2020-27932 | 13.x | Kernel type confusion |
| Dynamo | CVE-2020-27950 | 13.x | Kernel memory disclosure |
| buffout | CVE-2021-30952 | 13.0 to 15.1.1 | WebKit integer overflow |
| jacurutu | CVE-2022-48503 | 15.2 to 15.5 | WebKit type confusion |
| IronLoader | CVE-2023-32409 | 16.0 to 16.4 | WebKit sandbox escape |
| Photon | CVE-2023-32434 | 14.5 to 15.7.6 | XNU integer overflow (Operation Triangulation) |
| Gallium | CVE-2023-38606 | 14.x | IOKit OOB write (Operation Triangulation) |
| Parallax | CVE-2023-41974 | 16.4 to 16.7 | WebKit use-after-free |
| terrorbird | CVE-2023-43000 | 16.2 to 16.5.1 | WebKit use-after-free |
| cassowary | CVE-2024-23222 | 16.6 to 17.2.1 | WebKit type confusion (primary chain) |
| Sparrow | CVE-2024-23225 | 17.0 to 17.3 | Kernel memory corruption |
| Rocket | CVE-2024-23296 | 17.1 to 17.4 | RTKit memory corruption |
Two of these chains, Photon and Gallium, exploit vulnerabilities previously used as zero-days in Operation Triangulation, the sophisticated iOS espionage campaign documented by Kaspersky in 2023. Their reuse in a financially motivated criminal campaign is a direct illustration of how nation-state offensive tools move into the broader threat ecosystem once the underlying CVEs become public knowledge. On March 5, 2026, CISA added CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 to its Known Exploited Vulnerabilities catalog with a remediation deadline of March 26, 2026 for federal agencies.
The module architecture in full
[Delivery Page: group.html / analytics.html]
|
+-- Layer 0: Bootstrap (XOR-obfuscated JS)
| +-- Initialises globalThis.vKTo89 dispatcher
|
+-- Layer 1: MM Object (Base64 -> JS)
| +-- Module 1ff010bb: Math/utility library
| | +-- SHA256, BigInt arithmetic, URL parsing
| +-- Module 6b57ca33: Fingerprinting engine
| +-- UA parsing, platform detection
| +-- WebAssembly memory oracle (JSC cell tags 0x10016/0x10017)
| +-- IndexedDB Blob test (iOS detection)
| +-- MathML rendering test
| +-- WebRTC environment check
|
+-- Remote Modules (fetched via SHA256-keyed URLs)
+-- 8dbfa3fd: JIT type confusion exploit (addrof/fakeobj)
+-- 55afb1a6: Arbitrary R/W primitive (fake ArrayBuffer)
+-- 5264a069: WebAssembly-based exploit variant
+-- 166411bd: WebAssembly JIT spray / BigUint64Array primitive
+-- d6cb72f5: JIT compiler exploit (1M-iteration warm-up)
+-- dbfd6e84: Sandbox escape (feConvolveMatrix + pthread)
|
+-- [iOS path] bcb56dc5: iOS dyld shared cache scanner
| +-- WebCore, IOKit, CoreUtils framework locator
|
+-- [macOS path] 2d2c721e: macOS dyld shared cache scanner
| +-- CoreFoundation, CoreGraphics, ActionKit locator
|
+-- [iOS stager] 164349160: iOS payload stager
| +-- ARM64 shellcode (31,308 bytes)
| +-- Encrypted Mach-O binary (14,954 bytes)
|
+-- [macOS stager] 6241388a: macOS payload stager
+-- ARM64 shellcode (31,308 bytes)
+-- Encrypted Mach-O binary (14,954 bytes)
+-- PAC bypass (jitCagePtr, SecureARM64EHashPins)
+-- JIT ROP chainAttribution and threat actor context
The campaign delivering Coruna through cryptocurrency and gambling lures is attributed to UNC6691, a financially motivated threat actor assessed to operate from China. The infrastructure shows heavy use of .icu, .top, .online, and .game TLDs commonly associated with Chinese-operated fraud infrastructure, alongside Chinese-language domains (mijieqi[.]cn, mjdqw[.]cn, 668ddf[.]cc). There is no geolocation restriction: the exploit is delivered to any Safari user worldwide.
The migration of the Coruna framework from a commercial surveillance vendor through a nation-state espionage actor (UNC6353) to a financially motivated criminal group (UNC6691) within approximately one year illustrates the active secondary market for advanced mobile exploits. The two Operation Triangulation CVEs present in the kit, CVE-2023-32434 and CVE-2023-38606, were first publicly documented as zero-days used in a sophisticated espionage campaign. They are now part of a mass-exploitation tool targeting crypto wallets.
What you should do
The most effective protection is straightforward: update all Apple devices. The kit is explicitly stated to be not effective against the latest version of iOS as of the time of disclosure. Users on iOS 17.3 or later are protected against the primary cassowary chain. The full kit is neutralised on iOS 17.4 and above.
| Action | Priority | Protects against |
|---|---|---|
| Update to iOS 17.3+ | Critical | cassowary (CVE-2024-23222) |
| Update to iOS 17.4+ | Critical | Sparrow (CVE-2024-23225), Rocket (CVE-2024-23296) |
| Enable Lockdown Mode | High | All Coruna chains (kit explicitly aborts on Lockdown Mode) |
| Block 15-char .xyz DGA domains | Medium | C2 communication |
Alert on ?e= GET to new domains |
Medium | Exploit result reporting |
Alert on [40-char hex].min.js requests |
Medium | PlasmaLoader delivery |
For web teams specifically: the question is not only whether your users are patched. It is whether your site could be used to deliver this payload to users who are not. A compromised ad tag, a poisoned analytics script, or a hijacked CDN asset loaded by your pages would make your site a distribution node. Your server logs would show nothing. The exploit runs in the browser, reports to a C2 domain you have never heard of, and leaves.
Indicators of compromise
C2 domains (DGA-generated, .xyz TLD)
vvri8ocl4t3k8n6[.]xyz rlau616jc7a7f7i[.]xyz ol67el6pxg03ad7[.]xyz
6zvjeulzaw5c0mv[.]xyz ztvnhmhm4zj95w3[.]xyz v2gmupm7o4zihc3[.]xyz
pen0axt0u476duw[.]xyz hfteigt3kt0sf3z[.]xyz xfal48cf0ies7ew[.]xyz
yvgy29glwf72qnl[.]xyz lk4x6x2ejxaw2br[.]xyz 2s3b3rknfqtwwpo[.]xyz
xjslbdt9jdijn15[.]xyz hui4tbh9uv9x4yi[.]xyz xittgveqaufogve[.]xyz
xmmfrkq9oat1daq[.]xyz lsnngjyu9x6vcg0[.]xyz gdvynopz3pa0tik[.]xyz
o08h5rhu2lu1x0q[.]xyz zcjdlb5ubkhy41u[.]xyz 8fn4957c5g986jp[.]xyz
uawwydy3qas6ykv[.]xyz sf2bisx5nhdkygn3l[.]xyz roy2tlop2u[.]xyz
gqjs3ra34lyuvzb[.]xyz eg2bjo5x5r8yjb5[.]xyz b38w09ecdejfqsf[.]xyzDelivery domains (selected)
ai-scorepredict[.]com pepeairdrop01[.]com
goodcryptocurrency[.]top cryptocurrencyworld[.]top
bestcryptocurrency[.]top binancealliancesintro[.]com
b27[.]icu 7p[.]game
4u[.]game h4k[.]icu
spin7[.]icu seven7[.]vip
seven7[.]to 4kgame[.]us
7uspin[.]us n49[.]top
98a[.]online 7ff[.]online
26a[.]online cy8[.]top
btrank[.]top mkkku[.]com
goanalytics[.]xyz kanav[.]blog
land[.]77bingos[.]com land[.]bingo777[.]now
land[.]777bingos[.]xyz dbgopaxl[.]com
lddx3z2d72aa8i6[.]xyz dd9l7e6ghme8pbk[.]xyz
fxrhcnfwxes90q[.]xyz 3v5w1km5gv[.]xyz
sj9ioz3a7y89cy7[.]xyz appstoreconn[.]com
ddus17[.]com tubeluck[.]comInfrastructure IPs (non-CDN)
| IP | ASN | Hosting provider | Domains |
|---|---|---|---|
95.214.181.109 |
AS212238 | Datacamp Limited, HK (bulletproof) | cryptocurrencyworld[.]top, bestcryptocurrency[.]top |
185.53.179.128 |
AS61969 | Team Internet AG, DE | mkkku[.]com |
103.110.221.8 |
AS137535 | JT Telecom International, JP | ddus17[.]com |
54.248.167.86 |
AS16509 | AWS EC2 ap-northeast-1 (Tokyo) | btrank[.]top |
Additional domains found via rDNS pivot (Team Internet AG, 185.53.179.128)
bet247[.]ac gem88[.]ac gemwin[.]ac
gunbet[.]ac i9-bet[.]ac sbet[.]ac
taisunwin[.]acJavaScript signatures
Module dispatcher: globalThis.vKTo89
API functions: WLEBfI, ksQccv, OLdwIx, LBrh4t, tI4mjA
URL obfuscation: lysNguL, lysNguk, lysNgu6, lysNguv
Deployment salt: cf40de81867d2397
XOR pattern: [n1,n2,...].map(x => String.fromCharCode(x ^ K)).join("")
JIT warm-up: new Uint32Array(10000000) + repeated x += 1
Version boundaries: 13E4, 16E4Module SHA1 hash IDs
1ff010bb3e857e2b0383f1d9a1cf9f54e321fbb0 (utility library)
6b57ca3347345883898400ea4318af3b9aa1dc5c (fingerprinting)
8dbfa3fdd44e287d57c55e74a97f526120ffd8f0 (JIT type confusion)
55afb1a69f9e35265f29b113adaa6f34e8215813 (arbitrary R/W)
5264a0694295c0a1978d1b4b03b2ab909e5c6d09 (WASM exploit)
166411bd90ee39aed912bd49af8d86831b686337 (BigUint64 primitive)
d6cb72f5888b2ec1282b584155490e3b6e90a977 (JIT compiler exploit)
dbfd6e840218865cb2269e6b7ed7d10ea9f22f93 (sandbox escape)
bcb56dc5317128d4e53b8474535f4c099bf322b3 (iOS dyld scanner)
2d2c721e64fbbb49c39654930563758332e4eff3 (macOS dyld scanner)
164349160d3d35d83bfdcc001ccd23cd1b3b75d5 (iOS stager)
6241388ab7da11aa490d4ecfed44d952568f008a (macOS stager)Binary signatures
ARM64 shellcode: 31,308 bytes | begins fd 7b bf a9 fd 03 00 91 (STP X29, X30 prologue)
Mach-O payload: 14,954 bytes | ARM64 (0xFEEDFACF) | UTF-16LE padded in JS
PlasmaLoader: ~1,324 bytes encrypted | filename: [40-char hex].min.jsQuick recap
Coruna is a spyware-grade iOS exploit kit containing 23 individual exploits across five chains, covering every version of iOS from 13.0 through 17.2.1. It was originally developed for a commercial surveillance vendor, passed through a Russian espionage group, and is now in active use by a Chinese financially motivated threat actor targeting cryptocurrency wallets.
The kit runs entirely in the browser as a self-contained JavaScript payload. It uses four layers of obfuscation, a keyed module delivery protocol that makes static analysis nearly impossible without the deployment salt, and a six-phase execution chain that ends with a signed ARM64 shellcode, a Mach-O binary, and a final implant that exfiltrates MetaMask, Exodus, Bitget Wallet, and Base wallet data.
The primary chain (cassowary, CVE-2024-23222) targets iOS 16.6 through 17.2.1 using a JIT type confusion in JavaScriptCore. Two chains reuse zero-days from Operation Triangulation. Three CVEs were added to the CISA KEV catalog the day after public disclosure.
The infrastructure spans more than 50 delivery domains registered in a 10-week window between November 2025 and January 2026, hosted across Cloudflare, AWS CloudFront, a Hong Kong bulletproof provider (Datacamp Limited), and a dedicated AWS EC2 instance in Tokyo. The 27 C2 domains are DGA-generated using the seed "lazarus" and were Cloudflare-fronted at the time of disclosure.
The critical point for web teams: this payload is a JavaScript file. It does not need to live on your server to reach your users. A compromised ad tag, a poisoned third-party script, or a hijacked CDN asset would be enough. Your logs would show nothing. cside monitors every script that executes in your users' browsers in real time, which is the only layer where this attack is visible.
Know what is happening on your website. You would not have known if this script was injected into your visitors' browsers as a result of one of your open source packages, marketing tools, ads, or dependencies of your dependencies. This unfortunately happens all the time.
Use cside to protect your business. Use cside to protect your customers.
References
- Google Threat Intelligence Group, "Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13-17.2.1," The Hacker News, March 4, 2026.
- Apple Security Advisory, "CVE-2024-23222: WebKit type confusion issue," January 2024. nvd.nist.gov
- CISA Known Exploited Vulnerabilities Catalog, March 5, 2026. cisa.gov
- Help Net Security, "Apple fixes actively exploited WebKit zero-day (CVE-2024-23222)," January 23, 2024.
- Infosecurity Magazine, "Coruna Exploit Kit Targets Older iPhones in Multi-Stage Attack," March 2026.
- Security Affairs, "Google uncovers Coruna iOS Exploit Kit targeting iOS 13-17.2.1," March 2026.
This analysis is based on direct inspection of live Coruna samples retrieved from active delivery domains (b27[.]icu, 7p[.]game) combined with public threat intelligence from Google GTIG, CISA, and iVerify. Infrastructure analysis was performed using DNS resolution, reverse DNS pivots via HackerTarget, RDAP registration queries, certificate transparency logs via crt.sh, and URLScan passive DNS. All binary analysis was performed in an isolated environment.
