Share 
## https://sploitus.com/exploit?id=51C5E4AA-2B30-5477-815A-06A1A22B9EA9
# Coruna iOS Exploit Kit β€” Reverse Engineering Analysis

> **Defensive research only.** This repository documents an in-the-wild iOS exploit kit for the purpose of detection, mitigation, and research. Do not execute any file in this repository against a real device. All vulnerabilities documented here are patched in iOS 17.3 and later.

Coruna is a government-grade iOS exploit kit identified by the Google Threat Intelligence Group in February 2025. The full kit contains 23 exploits across 5 attack chains capable of silently compromising any iPhone running iOS 11.0 through 17.2.1. This repository contains the reverse-engineered analysis of the kit's UNC6691 deployment, which targets iPhone users via fake gambling and cryptocurrency websites to steal wallet seed phrases β€” the shipped subset covers 3 of the 5 chains across 6 JavaScript modules (plus a 7th post-exploit submodule inlined into the implant loader).

It documents the JavaScript loader, the WebKit exploit chains for iOS 11 through 17.2, the Mach-O parser used for native symbol resolution, and the PLASMAGRID native implant that performs the final wallet exfiltration.

## What's in here

| Path | Contents |
|------|----------|
| [`docs/`](docs/) | Function-by-function walkthrough of the entire kit + CVE map, variant comparison, IoCs, defenses, MITRE ATT&CK mapping, references |
| [`analysis/loader/`](analysis/loader/) | The inline script and its embedded modules, original + cleaned |
| [`analysis/exploits/`](analysis/exploits/) | The remote-fetched WebKit exploit modules, original + cleaned |
| [`tools/`](tools/) | The deobfuscation pipeline + YARA/Sigma rulesets + supporting analysis utilities |

## Quick navigation

- **Start here:** [`docs/01-overview.md`](docs/01-overview.md) β€” threat overview and timeline
- **Attack flow diagram:** [`docs/02-attack-flow.md`](docs/02-attack-flow.md)
- **Per-exploit deep dives:** [`docs/05-exploits/`](docs/05-exploits/)
- **CVE mapping and patch dates:** [`docs/06-cve-mapping.md`](docs/06-cve-mapping.md)
- **IoCs for detection** (markdown): [`docs/08-iocs.md`](docs/08-iocs.md)
- **IoCs for automation** (CSV): [`docs/iocs.csv`](docs/iocs.csv)
- **Defenses:** [`docs/09-defenses.md`](docs/09-defenses.md)
- **MITRE ATT&CK mapping:** [`docs/11-mitre.md`](docs/11-mitre.md)
- **YARA rules:** [`tools/yara/coruna.yar`](tools/yara/coruna.yar)
- **Sigma rules:** [`tools/sigma/`](tools/sigma/)

## Verifying the loader hashes

The loader MD5s are byte-stable indicators across every captured sample. You can verify the committed originals match the published IoC values yourself:

```bash
md5sum analysis/loader/lysnguv/original.js analysis/loader/fqmagknl/original.js
# 8717d5ead350dd634cc086dd750b055a  analysis/loader/lysnguv/original.js
# ccff3f70539f09a83decfb2cbd61acf0  analysis/loader/fqmagknl/original.js
```

The cleaned versions in `analysis/**/clean/` are reproducible via `tools/deobfuscate.pl | tools/js_beautify.pl` β€” the CI workflow `reproducibility.yml` regenerates and diffs them on every push.

## Repository layout

```
coruna-exploit-kit-analysis/
β”œβ”€β”€ docs/              Markdown documentation with function-by-function walkthroughs
β”œβ”€β”€ analysis/          Original obfuscated payloads + fully deobfuscated cleaned versions
β”‚   β”œβ”€β”€ loader/        inline_script_1.js per variant + its embedded modules
β”‚   └── exploits/      Remote-fetched WebKit exploit modules per variant
└── tools/             deobfuscate.pl + js_beautify.pl β€” the entire cleaning pipeline
```

## How the cleaning was done

Each obfuscated payload in `analysis/exploits//original/` was processed by the two scripts in `tools/`: `deobfuscate.pl` resolves XOR string arrays, numeric XOR literals, and inlined `atob()` calls; `js_beautify.pl` then converts the single-line minified output into indented multi-line code. The result lives in `analysis/exploits//clean/`. The cleaning is reproducible β€” see the `reproducibility.yml` GitHub Action.

## Variants tracked in this repository

| Variant | Sites | Delivery server | Loader object | Hash key |
|---------|------:|-----------------|---------------|----------|
| **lysNguv** | 19 | `b27[.]icu` | `globalThis.vKTo89` | `cf40de81867d2397` |
| **fqMaGkNL** | 4 | `sadjd[.]mijieqi[.]cn` | `globalThis.obChTK` | `cecd08aa6ff548c2` |

See [`docs/07-variants.md`](docs/07-variants.md) for the full comparison.

## License

MIT β€” see [LICENSE](LICENSE).

## Citing this work

If you reference this repository in research, detection rules, threat reports, or public writeups, please use the metadata in [`CITATION.cff`](CITATION.cff). GitHub will produce a formatted citation automatically from that file.

## Issues

Factual corrections, new IoCs, detection-rule improvements, and broken-link repairs are welcome via GitHub issues. See [`.github/ISSUE_TEMPLATE/`](.github/ISSUE_TEMPLATE/) for the templates.

## Changelog

See [`CHANGELOG.md`](CHANGELOG.md) for the release history.

## Acknowledgments

- **Google Threat Intelligence Group (GTIG)** for the original disclosure and the Coruna name
- **CISA** for the KEV catalog entries and public tracking
- **Apple Product Security** for the patches
- **iVerify** for the parallel disclosure and host-based telemetry work
- **Project Zero** for the public research on WebKit / JavaScriptCore exploitation that this analysis cross-references
- **Samuel Groß** for the JITSploitation series that remains the canonical treatment of JSC NaN-box exploitation

## Contact

For responsible disclosure, factual corrections, or questions, see [SECURITY.md](SECURITY.md).