Coruna (Malware Family)

Coruna

According to Google, this is a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named "Coruna" by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.

References

2026-03-06 ⋅ nadsec ⋅ nadsec
Coruna: A Complete Technical Teardown
Coruna

2026-03-03 ⋅ Google ⋅ Google Threat Intelligence Group
Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
Coruna UNC6353 UNC6691

2026-03-03 ⋅ Google ⋅ Google Threat Intelligence Group
Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
Coruna

Yara Rules

[TLP:WHITE] ios_coruna_w0 (20260319 \| Detects Coruna's characteristic XOR string decoding pattern) rule ios_coruna_w0 { meta: description = "Detects Coruna's characteristic XOR string decoding pattern" author = "@Nadsec" severity = "critical" reference = "Coruna iOS/macOS exploit framework" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $xor_pattern = /\[\d{1,3}(,\s\d{1,3}){5,}\]\.map$x\s=>\s\{\sreturn\s+String\.fromCharCode\(x\s\^\s\d{1,3}$;\s*\}\)\.join$""$/ ascii condition: filesize < 500KB and #xor_pattern > 5 }
[TLP:WHITE] ios_coruna_w1 (20260319 \| Detects Coruna's vKTo89/OLdwIx module namespace registration) rule ios_coruna_w1 { meta: description = "Detects Coruna's vKTo89/OLdwIx module namespace registration" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $ns1 = "vKTo89" ascii $ns2 = "OLdwIx" ascii $register = "tI4mjA" ascii $hash1 = "1ff010bb3e857e2b0383f1d9a1cf9f54e321fbb0" ascii $hash2 = "6b57ca3347345883898400ea4318af3b9aa1dc5c" ascii condition: filesize < 500KB and $register and (any of ($ns)) and (any of ($hash)) }
[TLP:WHITE] ios_coruna_w2 (20260319 \| Detects decoded strings associated with Coruna's PAC bypass) rule ios_coruna_w2 { meta: description = "Detects decoded strings associated with Coruna's PAC bypass" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $jitcage1 = "jitCagePtr" ascii $jitcage2 = "_jitCagePtr" ascii $hashpins = "SecureARM64EHashPins" ascii $dyld_magic = "dyld_v1 arm64e" ascii $auth_const = "__AUTH_CONST" ascii $linkbuf = "LinkBuffer" ascii condition: filesize < 500KB and 3 of them }
[TLP:WHITE] ios_coruna_w3 (20260319 \| Detects Coruna's gadget function name strings) rule ios_coruna_w3 { meta: description = "Detects Coruna's gadget function name strings" author = "@Nadsec" severity = "high" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $g1 = "enet_allocate_packet_payload_default" ascii $g2 = "_autohinter_iterator_begin" ascii $g3 = "_autohinter_iterator_end" ascii $g4 = "_EdgeInfoCFArrayReleaseCallBack" ascii $g5 = "_dlfcn_globallookup" ascii $g6 = "xmlHashScanFull" ascii $g7 = "CFRunLoopObserverCreateWithHandler" ascii condition: filesize < 500KB and 3 of them }
[TLP:WHITE] ios_coruna_w4 (20260319 \| Detects Coruna's final payload encryption markers) rule ios_coruna_w4 { meta: description = "Detects Coruna's final payload encryption markers" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $hdr_seed = "HeaderSeed" ascii $hdr_key = "HeaderKey" ascii $enc_blocks = "EncryptedBlocks" ascii $shared_buf = "ArrayBuffer" ascii $xor_map = /.map\(x\s=>\s\{return String\.fromCharCode/ ascii condition: filesize < 250KB and all of ($hdr_*) and $enc_blocks and $shared_buf and $xor_map }
[TLP:WHITE] ios_coruna_w5 (20260319 \| Detects Coruna C2 domain and URL construction patterns) rule ios_coruna_w5 { meta: description = "Detects Coruna C2 domain and URL construction patterns" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $domain = "b27.icu" ascii nocase $double_ext = ".min.js.js" ascii $query_param = "?e=" ascii $xhr = "XMLHttpRequest" ascii condition: $domain or (filesize < 500KB and $double_ext and $query_param and $xhr) }
[TLP:WHITE] ios_coruna_w6 (20260319 \| Detects Coruna's minimal Wasm R/W adapter modules by byte pattern) rule ios_coruna_w6 { meta: description = "Detects Coruna's minimal Wasm R/W adapter modules by byte pattern" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: // Wasm magic + version + type section for the 92-byte minimal adapter $wasm_magic = { 00 61 73 6D 01 00 00 00 } $export_btl = "btl" ascii $export_alt = "alt" ascii $bigint_check = "BigUint64Array" ascii condition: filesize < 500KB and $wasm_magic and $export_btl and $export_alt and $bigint_check }

Download all Yara Rules

[TLP:WHITE] ios_coruna_w0 (20260319 \| Detects Coruna's characteristic XOR string decoding pattern) rule ios_coruna_w0 { meta: description = "Detects Coruna's characteristic XOR string decoding pattern" author = "@Nadsec" severity = "critical" reference = "Coruna iOS/macOS exploit framework" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $xor_pattern = /\[\d{1,3}(,\s\d{1,3}){5,}\]\.map\(x\s=>\s\{\sreturn\s+String\.fromCharCode\(x\s\^\s\d{1,3}\);\s*\}\)\.join\(""\)/ ascii condition: filesize < 500KB and #xor_pattern > 5 }
[TLP:WHITE] ios_coruna_w1 (20260319 \| Detects Coruna's vKTo89/OLdwIx module namespace registration) rule ios_coruna_w1 { meta: description = "Detects Coruna's vKTo89/OLdwIx module namespace registration" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $ns1 = "vKTo89" ascii $ns2 = "OLdwIx" ascii $register = "tI4mjA" ascii $hash1 = "1ff010bb3e857e2b0383f1d9a1cf9f54e321fbb0" ascii $hash2 = "6b57ca3347345883898400ea4318af3b9aa1dc5c" ascii condition: filesize < 500KB and $register and (any of ($ns)) and (any of ($hash)) }
[TLP:WHITE] ios_coruna_w2 (20260319 \| Detects decoded strings associated with Coruna's PAC bypass) rule ios_coruna_w2 { meta: description = "Detects decoded strings associated with Coruna's PAC bypass" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $jitcage1 = "jitCagePtr" ascii $jitcage2 = "_jitCagePtr" ascii $hashpins = "SecureARM64EHashPins" ascii $dyld_magic = "dyld_v1 arm64e" ascii $auth_const = "__AUTH_CONST" ascii $linkbuf = "LinkBuffer" ascii condition: filesize < 500KB and 3 of them }
[TLP:WHITE] ios_coruna_w3 (20260319 \| Detects Coruna's gadget function name strings) rule ios_coruna_w3 { meta: description = "Detects Coruna's gadget function name strings" author = "@Nadsec" severity = "high" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $g1 = "enet_allocate_packet_payload_default" ascii $g2 = "_autohinter_iterator_begin" ascii $g3 = "_autohinter_iterator_end" ascii $g4 = "_EdgeInfoCFArrayReleaseCallBack" ascii $g5 = "_dlfcn_globallookup" ascii $g6 = "xmlHashScanFull" ascii $g7 = "CFRunLoopObserverCreateWithHandler" ascii condition: filesize < 500KB and 3 of them }
[TLP:WHITE] ios_coruna_w4 (20260319 \| Detects Coruna's final payload encryption markers) rule ios_coruna_w4 { meta: description = "Detects Coruna's final payload encryption markers" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $hdr_seed = "HeaderSeed" ascii $hdr_key = "HeaderKey" ascii $enc_blocks = "EncryptedBlocks" ascii $shared_buf = "ArrayBuffer" ascii $xor_map = /.map\(x\s=>\s\{return String\.fromCharCode/ ascii condition: filesize < 250KB and all of ($hdr_*) and $enc_blocks and $shared_buf and $xor_map }
[TLP:WHITE] ios_coruna_w5 (20260319 \| Detects Coruna C2 domain and URL construction patterns) rule ios_coruna_w5 { meta: description = "Detects Coruna C2 domain and URL construction patterns" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $domain = "b27.icu" ascii nocase $double_ext = ".min.js.js" ascii $query_param = "?e=" ascii $xhr = "XMLHttpRequest" ascii condition: $domain or (filesize < 500KB and $double_ext and $query_param and $xhr) }
[TLP:WHITE] ios_coruna_w6 (20260319 \| Detects Coruna's minimal Wasm R/W adapter modules by byte pattern) rule ios_coruna_w6 { meta: description = "Detects Coruna's minimal Wasm R/W adapter modules by byte pattern" author = "@Nadsec" severity = "critical" source = "https://www.nadsec.online/blog/coruna-technical-analysis" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ios.coruna" malpedia_version = "20260319" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: // Wasm magic + version + type section for the 92-byte minimal adapter $wasm_magic = { 00 61 73 6D 01 00 00 00 } $export_btl = "btl" ascii $export_alt = "alt" ascii $bigint_check = "BigUint64Array" ascii condition: filesize < 500KB and $wasm_magic and $export_btl and $export_alt and $bigint_check }

Coruna Propose Change

References

Yara Rules

Coruna