Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

    Monday, March 9, 2026 In: Threat Research Print

    Date: 03/09/2026

    Severity: Critical

    Summary

    The Coruna exploit kit is a sophisticated toolkit targeting Apple iPhones running iOS 13.0 through 17.2.1, containing five full exploit chains and 23 exploits, including zero-day exploits, that leverage advanced, non-public techniques to bypass iOS security protections. Initially used in targeted surveillance operations, the kit later appeared in watering hole attacks against Ukrainian users and was subsequently deployed in large-scale campaigns by financially motivated actors, highlighting the proliferation of advanced exploit capabilities through underground markets. The exploits are ineffective against the latest iOS versions, and users are advised to update their devices or enable Lockdown Mode to reduce risk.

    Indicators of Compromise (IOC) List

    URLs/Domain

    vvri8ocl4t3k8n6.xyz

    rlau616jc7a7f7i.xyz

    ol67el6pxg03ad7.xyz

    6zvjeulzaw5c0mv.xyz

    ztvnhmhm4zj95w3.xyz

    v2gmupm7o4zihc3.xyz

    pen0axt0u476duw.xyz

    hfteigt3kt0sf3z.xyz

    xfal48cf0ies7ew.xyz

    yvgy29glwf72qnl.xyz

    lk4x6x2ejxaw2br.xyz

    2s3b3rknfqtwwpo.xyz

    xjslbdt9jdijn15.xyz

    hui4tbh9uv9x4yi.xyz

    xittgveqaufogve.xyz

    xmmfrkq9oat1daq.xyz

    lsnngjyu9x6vcg0.xyz

    gdvynopz3pa0tik.xyz

    o08h5rhu2lu1x0q.xyz

    zcjdlb5ubkhy41u.xyz

    8fn4957c5g986jp.xyz

    uawwydy3qas6ykv.xyz

    sf2bisx5nhdkygn3l.xyz

    roy2tlop2u.xyz

    gqjs3ra34lyuvzb.xyz

    eg2bjo5x5r8yjb5.xyz

    b38w09ecdejfqsf.xyz

    http://cdn.uacounter.com/stat.html

    https://ai-scorepredict.com/static/analytics.html

    https://m.pc6.com/test/tuiliu/group.html

    http://ddus17.com/tuiliu/group.html

    https://goodcryptocurrency.top/details/group.html

    http://pepeairdrop01.com/static/analytics.html

    https://osec2.668ddf.cc/tuiliu/group.html

    https://pepeairdrop01.com/static/analytics.html

    https://ios.teegrom.top/tuiliu/group.html

    https://i.binaner.com/group.html

    https://ajskbnrs.xn--jor0b302fdhgwnccw8g.com/gogo/list.html

    https://sj9ioz3a7y89cy7.xyz/list.html

    https://65sse.668ddf.cc/tuiliu/group.html

    https://sadjd.mijieqi.cn/group.html

    https://mkkku.com/static/analytics.html

    https://dbgopaxl.com/static/goindex/tuiliu/group.html

    https://w2a315.tubeluck.com/static/goindex/tuiliu/group.html

    https://ose.668ddf.cc/tuiliu/group.html

    http://cryptocurrencyworld.top/details/group.html

    https://iphonex.mjdqw.cn/tuiliu/group.html

    http://goodcryptocurrency.top/details/group.html

    https://share.4u.game/group.html

    https://26a.online/group.html

    https://binancealliancesintro.com/group.html

    https://4u.game/group.html

    http://bestcryptocurrency.top/details/group.html

    https://b27.icu/group.html

    https://h4k.icu/group.html

    https://so5083.tubeluck.com/static/goindex/group.html

    https://seven7.vip/group.html

    https://y4w.icu/group.html

    https://7ff.online/group.html

    https://cy8.top/group.html

    https://7uspin.us/group.html

    https://seven7.to/group.html

    https://4kgame.us/group.html

    https://share.7p.game/group.html

    https://www.appstoreconn.com/xmweb/group.html

    https://k96.icu/group.html

    https://7fun.icu/group.html

    https://n49.top/group.html

    https://98a.online/group.html

    https://spin7.icu/group.html

    https://t7c.icu/group.html

    https://7p.game/group.html

    https://lddx3z2d72aa8i6.xyz/group.html

    https://anygg.liquorfight.com/88k4ez/group.html

    https://goanalytics.xyz/88k4ez/group.html

    http://land.77bingos.com/88k4ez/group.html

    https://land.bingo777.now/88k4ez/group.html

    http://land.bingo777.now/88k4ez/group.html

    http://land.777bingos.xyz/88k4ez/group.html

    https://btrank.top/tuiliu/group.html

    https://dd9l7e6ghme8pbk.xyz/group.html

    https://res54allb.xn--xkrsa0078bd6d.com/group.html

    https://fxrhcnfwxes90q.xyz/group.html

    https://kanav.blog/group.html

    https://3v5w1km5gv.xyz/group.html

    Hash

    2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a

    18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3

    6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c

    42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b

    0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495

    05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901

    10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c

    91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30

    721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780

    25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de

    be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9

    3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541

    499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1

    d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802

    4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd

    d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a

    023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de

    f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac

    1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0

    4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://4u.game/group.html" or siteurl like "https://4u.game/group.html" or url like "https://4u.game/group.html" or domainname like "lk4x6x2ejxaw2br.xyz" or siteurl like "lk4x6x2ejxaw2br.xyz" or url like "lk4x6x2ejxaw2br.xyz" or domainname like "https://w2a315.tubeluck.com/static/goindex/tuiliu/group.html" or siteurl like "https://w2a315.tubeluck.com/static/goindex/tuiliu/group.html" or url like "https://w2a315.tubeluck.com/static/goindex/tuiliu/group.html" or domainname like "ztvnhmhm4zj95w3.xyz" or siteurl like "ztvnhmhm4zj95w3.xyz" or url like "ztvnhmhm4zj95w3.xyz" or domainname like "zcjdlb5ubkhy41u.xyz" or siteurl like "zcjdlb5ubkhy41u.xyz" or url like "zcjdlb5ubkhy41u.xyz" or domainname like "yvgy29glwf72qnl.xyz" or siteurl like "yvgy29glwf72qnl.xyz" or url like "yvgy29glwf72qnl.xyz" or domainname like "vvri8ocl4t3k8n6.xyz" or siteurl like "vvri8ocl4t3k8n6.xyz" or url like "vvri8ocl4t3k8n6.xyz" or domainname like "hui4tbh9uv9x4yi.xyz" or siteurl like "hui4tbh9uv9x4yi.xyz" or url like "hui4tbh9uv9x4yi.xyz" or domainname like "https://4kgame.us/group.html" or siteurl like "https://4kgame.us/group.html" or url like "https://4kgame.us/group.html" or domainname like "https://h4k.icu/group.html" or siteurl like "https://h4k.icu/group.html" or url like "https://h4k.icu/group.html" or domainname like "https://res54allb.xn--xkrsa0078bd6d.com/group.html" or siteurl like "https://res54allb.xn--xkrsa0078bd6d.com/group.html" or url like "https://res54allb.xn--xkrsa0078bd6d.com/group.html" or domainname like "6zvjeulzaw5c0mv.xyz" or siteurl like "6zvjeulzaw5c0mv.xyz" or url like "6zvjeulzaw5c0mv.xyz" or domainname like "rlau616jc7a7f7i.xyz" or siteurl like "rlau616jc7a7f7i.xyz" or url like "rlau616jc7a7f7i.xyz" or domainname like "https://goanalytics.xyz/88k4ez/group.html" or siteurl like "https://goanalytics.xyz/88k4ez/group.html" or url like "https://goanalytics.xyz/88k4ez/group.html" or domainname like "https://3v5w1km5gv.xyz/group.html" or siteurl like "https://3v5w1km5gv.xyz/group.html" or url like "https://3v5w1km5gv.xyz/group.html" or domainname like "2s3b3rknfqtwwpo.xyz" or siteurl like "2s3b3rknfqtwwpo.xyz" or url like "2s3b3rknfqtwwpo.xyz" or domainname like "https://7uspin.us/group.html" or siteurl like "https://7uspin.us/group.html" or url like "https://7uspin.us/group.html" or domainname like "https://seven7.vip/group.html" or siteurl like "https://seven7.vip/group.html" or url like "https://seven7.vip/group.html" or domainname like "http://ddus17.com/tuiliu/group.html" or siteurl like "http://ddus17.com/tuiliu/group.html" or url like "http://ddus17.com/tuiliu/group.html" or domainname like "gdvynopz3pa0tik.xyz" or siteurl like "gdvynopz3pa0tik.xyz" or url like "gdvynopz3pa0tik.xyz" or domainname like "http://land.777bingos.xyz/88k4ez/group.html" or siteurl like "http://land.777bingos.xyz/88k4ez/group.html" or url like "http://land.777bingos.xyz/88k4ez/group.html" or domainname like "o08h5rhu2lu1x0q.xyz" or siteurl like "o08h5rhu2lu1x0q.xyz" or url like "o08h5rhu2lu1x0q.xyz" or domainname like "https://osec2.668ddf.cc/tuiliu/group.html" or siteurl like "https://osec2.668ddf.cc/tuiliu/group.html" or url like "https://osec2.668ddf.cc/tuiliu/group.html" or domainname like "https://sadjd.mijieqi.cn/group.html" or siteurl like "https://sadjd.mijieqi.cn/group.html" or url like "https://sadjd.mijieqi.cn/group.html" or domainname like "gqjs3ra34lyuvzb.xyz" or siteurl like "gqjs3ra34lyuvzb.xyz" or url like "gqjs3ra34lyuvzb.xyz" or domainname like "https://7ff.online/group.html" or siteurl like "https://7ff.online/group.html" or url like "https://7ff.online/group.html" or domainname like "lsnngjyu9x6vcg0.xyz" or siteurl like "lsnngjyu9x6vcg0.xyz" or url like "lsnngjyu9x6vcg0.xyz" or domainname like "https://7fun.icu/group.html" or siteurl like "https://7fun.icu/group.html" or url like "https://7fun.icu/group.html" or domainname like "https://mkkku.com/static/analytics.html" or siteurl like "https://mkkku.com/static/analytics.html" or url like "https://mkkku.com/static/analytics.html"

    Detection Query 2 :

    domainname like "https://goodcryptocurrency.top/details/group.html" or siteurl like "https://goodcryptocurrency.top/details/group.html" or url like "https://goodcryptocurrency.top/details/group.html" or domainname like "https://ai-scorepredict.com/static/analytics.html" or siteurl like "https://ai-scorepredict.com/static/analytics.html" or url like "https://ai-scorepredict.com/static/analytics.html" or domainname like "https://www.appstoreconn.com/xmweb/group.html" or siteurl like "https://www.appstoreconn.com/xmweb/group.html" or url like "https://www.appstoreconn.com/xmweb/group.html" or domainname like "https://y4w.icu/group.html" or siteurl like "https://y4w.icu/group.html" or url like "https://y4w.icu/group.html" or domainname like "https://land.bingo777.now/88k4ez/group.html" or siteurl like "https://land.bingo777.now/88k4ez/group.html" or url like "https://land.bingo777.now/88k4ez/group.html" or domainname like "http://goodcryptocurrency.top/details/group.html" or siteurl like "http://goodcryptocurrency.top/details/group.html" or url like "http://goodcryptocurrency.top/details/group.html" or domainname like "https://spin7.icu/group.html" or siteurl like "https://spin7.icu/group.html" or url like "https://spin7.icu/group.html" or domainname like "https://i.binaner.com/group.html" or siteurl like "https://i.binaner.com/group.html" or url like "https://i.binaner.com/group.html" or domainname like "https://so5083.tubeluck.com/static/goindex/group.html" or siteurl like "https://so5083.tubeluck.com/static/goindex/group.html" or url like "https://so5083.tubeluck.com/static/goindex/group.html" or domainname like "https://dd9l7e6ghme8pbk.xyz/group.html" or siteurl like "https://dd9l7e6ghme8pbk.xyz/group.html" or url like "https://dd9l7e6ghme8pbk.xyz/group.html" or domainname like "eg2bjo5x5r8yjb5.xyz" or siteurl like "eg2bjo5x5r8yjb5.xyz" or url like "eg2bjo5x5r8yjb5.xyz" or domainname like "xjslbdt9jdijn15.xyz" or siteurl like "xjslbdt9jdijn15.xyz" or url like "xjslbdt9jdijn15.xyz" or domainname like "https://lddx3z2d72aa8i6.xyz/group.html" or siteurl like "https://lddx3z2d72aa8i6.xyz/group.html" or url like "https://lddx3z2d72aa8i6.xyz/group.html" or domainname like "https://share.4u.game/group.html" or siteurl like "https://share.4u.game/group.html" or url like "https://share.4u.game/group.html" or domainname like "https://m.pc6.com/test/tuiliu/group.html" or siteurl like "https://m.pc6.com/test/tuiliu/group.html" or url like "https://m.pc6.com/test/tuiliu/group.html" or domainname like "https://btrank.top/tuiliu/group.html" or siteurl like "https://btrank.top/tuiliu/group.html" or url like "https://btrank.top/tuiliu/group.html" or domainname like "8fn4957c5g986jp.xyz" or siteurl like "8fn4957c5g986jp.xyz" or url like "8fn4957c5g986jp.xyz" or domainname like "http://bestcryptocurrency.top/details/group.html" or siteurl like "http://bestcryptocurrency.top/details/group.html" or url like "http://bestcryptocurrency.top/details/group.html" or domainname like "xmmfrkq9oat1daq.xyz" or siteurl like "xmmfrkq9oat1daq.xyz" or url like "xmmfrkq9oat1daq.xyz" or domainname like "https://n49.top/group.html" or siteurl like "https://n49.top/group.html" or url like "https://n49.top/group.html" or domainname like "xittgveqaufogve.xyz" or siteurl like "xittgveqaufogve.xyz" or url like "xittgveqaufogve.xyz" or domainname like "https://cy8.top/group.html" or siteurl like "https://cy8.top/group.html" or url like "https://cy8.top/group.html" or domainname like "pen0axt0u476duw.xyz" or siteurl like "pen0axt0u476duw.xyz" or url like "pen0axt0u476duw.xyz"

    Detection Query 3 :

    domainname like "https://65sse.668ddf.cc/tuiliu/group.html" or siteurl like "https://65sse.668ddf.cc/tuiliu/group.html" or url like "https://65sse.668ddf.cc/tuiliu/group.html" or domainname like "uawwydy3qas6ykv.xyz" or siteurl like "uawwydy3qas6ykv.xyz" or url like "uawwydy3qas6ykv.xyz" or domainname like "https://ajskbnrs.xn--jor0b302fdhgwnccw8g.com/gogo/list.html" or siteurl like "https://ajskbnrs.xn--jor0b302fdhgwnccw8g.com/gogo/list.html" or url like "https://ajskbnrs.xn--jor0b302fdhgwnccw8g.com/gogo/list.html" or domainname like "https://7p.game/group.html" or siteurl like "https://7p.game/group.html" or url like "https://7p.game/group.html" or domainname like "https://fxrhcnfwxes90q.xyz/group.html" or siteurl like "https://fxrhcnfwxes90q.xyz/group.html" or url like "https://fxrhcnfwxes90q.xyz/group.html" or domainname like "https://pepeairdrop01.com/static/analytics.html" or siteurl like "https://pepeairdrop01.com/static/analytics.html" or url like "https://pepeairdrop01.com/static/analytics.html" or domainname like "http://pepeairdrop01.com/static/analytics.html" or siteurl like "http://pepeairdrop01.com/static/analytics.html" or url like "http://pepeairdrop01.com/static/analytics.html" or domainname like "b38w09ecdejfqsf.xyz" or siteurl like "b38w09ecdejfqsf.xyz" or url like "b38w09ecdejfqsf.xyz" or domainname like "http://cdn.uacounter.com/stat.html" or siteurl like "http://cdn.uacounter.com/stat.html" or url like "http://cdn.uacounter.com/stat.html" or domainname like "https://binancealliancesintro.com/group.html" or siteurl like "https://binancealliancesintro.com/group.html" or url like "https://binancealliancesintro.com/group.html" or domainname like "https://anygg.liquorfight.com/88k4ez/group.html" or siteurl like "https://anygg.liquorfight.com/88k4ez/group.html" or url like "https://anygg.liquorfight.com/88k4ez/group.html" or domainname like "https://98a.online/group.html" or siteurl like "https://98a.online/group.html" or url like "https://98a.online/group.html" or domainname like "v2gmupm7o4zihc3.xyz" or siteurl like "v2gmupm7o4zihc3.xyz" or url like "v2gmupm7o4zihc3.xyz" or domainname like "ol67el6pxg03ad7.xyz" or siteurl like "ol67el6pxg03ad7.xyz" or url like "ol67el6pxg03ad7.xyz" or domainname like "http://land.77bingos.com/88k4ez/group.html" or siteurl like "http://land.77bingos.com/88k4ez/group.html" or url like "http://land.77bingos.com/88k4ez/group.html" or domainname like "sf2bisx5nhdkygn3l.xyz" or siteurl like "sf2bisx5nhdkygn3l.xyz" or url like "sf2bisx5nhdkygn3l.xyz" or domainname like "https://b27.icu/group.html" or siteurl like "https://b27.icu/group.html" or url like "https://b27.icu/group.html" or domainname like "https://sj9ioz3a7y89cy7.xyz/list.html" or siteurl like "https://sj9ioz3a7y89cy7.xyz/list.html" or url like "https://sj9ioz3a7y89cy7.xyz/list.html" or domainname like "https://ose.668ddf.cc/tuiliu/group.html" or siteurl like "https://ose.668ddf.cc/tuiliu/group.html" or url like "https://ose.668ddf.cc/tuiliu/group.html" or domainname like "https://seven7.to/group.html" or siteurl like "https://seven7.to/group.html" or url like "https://seven7.to/group.html" or domainname like "https://share.7p.game/group.html" or siteurl like "https://share.7p.game/group.html" or url like "https://share.7p.game/group.html" or domainname like "xfal48cf0ies7ew.xyz" or siteurl like "xfal48cf0ies7ew.xyz" or url like "xfal48cf0ies7ew.xyz"

    Detection Query 4 :

    domainname like "https://t7c.icu/group.html" or siteurl like "https://t7c.icu/group.html" or url like "https://t7c.icu/group.html" or domainname like "http://cryptocurrencyworld.top/details/group.html" or siteurl like "http://cryptocurrencyworld.top/details/group.html" or url like "http://cryptocurrencyworld.top/details/group.html" or domainname like "hfteigt3kt0sf3z.xyz" or siteurl like "hfteigt3kt0sf3z.xyz" or url like "hfteigt3kt0sf3z.xyz" or domainname like "https://ios.teegrom.top/tuiliu/group.html" or siteurl like "https://ios.teegrom.top/tuiliu/group.html" or url like "https://ios.teegrom.top/tuiliu/group.html" or domainname like "https://k96.icu/group.html" or siteurl like "https://k96.icu/group.html" or url like "https://k96.icu/group.html" or domainname like "https://iphonex.mjdqw.cn/tuiliu/group.html" or siteurl like "https://iphonex.mjdqw.cn/tuiliu/group.html" or url like "https://iphonex.mjdqw.cn/tuiliu/group.html" or domainname like "https://26a.online/group.html" or siteurl like "https://26a.online/group.html" or url like "https://26a.online/group.html" or domainname like "https://kanav.blog/group.html" or siteurl like "https://kanav.blog/group.html" or url like "https://kanav.blog/group.html" or domainname like "roy2tlop2u.xyz" or siteurl like "roy2tlop2u.xyz" or url like "roy2tlop2u.xyz" or domainname like "https://dbgopaxl.com/static/goindex/tuiliu/group.html" or siteurl like "https://dbgopaxl.com/static/goindex/tuiliu/group.html" or url like "https://dbgopaxl.com/static/goindex/tuiliu/group.html" or domainname like "http://land.bingo777.now/88k4ez/group.html" or siteurl like "http://land.bingo777.now/88k4ez/group.html" or url like "http://land.bingo777.now/88k4ez/group.html"

    Detection Query 5 :

    sha256hash IN ("2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a","18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3","6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c","42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b","0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495","05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901","10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c","91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30","721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780","25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de","be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9","3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541","499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1","d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802","4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd","d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a","023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de","f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac","1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0","4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8")

    Reference: 

    https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/


    Tags

    Threat ActorVulnerabilityExploitUkraineZero-day

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.