Detecting Coruna: New YARA Rules for the Nation-State iOS Exploit Kit Targeting Safari
Executive Summary
Coruna (also known as CryptoWaters) is a sophisticated iOS/macOS exploit kit first publicly disclosed by Google's Threat Intelligence Group (GTIG) in March 2026. The kit contains five full exploit chains with 23 individual exploits targeting Safari/WebKit on iOS 13 through 17.2.1, and represents one of the most advanced browser exploitation frameworks ever documented.
ScanMalware has added 16 new YARA detection rules covering both Coruna-specific indicators and generic browser exploitation techniques. These rules are now active in our JavaScript analysis pipeline and can detect Coruna payloads as well as similar exploit kits that use the same techniques.
Background: What is Coruna?
Coruna is a multi-stage browser exploit framework that operates entirely within Safari/WebKit, achieving arbitrary memory read/write, bypassing Pointer Authentication Codes (PAC), escaping the JIT sandbox, and establishing command-and-control -- all without writing to disk.
GTIG tracked Coruna through three distinct operational phases:
- Surveillance vendor customer (early 2025) -- Highly targeted operations against specific individuals
- UNC6353 (mid 2025) -- Watering-hole attacks targeting Ukrainian users, attributed to suspected Russian espionage
- UNC6691 (late 2025-2026) -- Broad-scale financial crime campaigns by a Chinese threat actor, deploying the kit via gambling, crypto, and gaming lure pages
The exploit kit uses a custom JavaScript module system coordinated through a globalThis namespace, with 28 JavaScript files loaded from a hardcoded C2 domain. Key technical components include:
- XOR-encoded strings (1,250+ instances) to obscure all sensitive string literals
- In-browser Mach-O parser capable of parsing Apple binary formats, load commands, and dyld shared cache
- ARM64 disassembler for scanning code pages to locate ROP/JOP gadgets
- NaN-boxing type confusion to achieve arbitrary memory read/write primitives
- WebAssembly JIT warmup (22 iterations) to trigger JIT compilation before exploitation
- Lockdown Mode detection to skip execution on hardened devices
Our Detection Rules
We developed rules in two categories: IOC-based rules for known Coruna indicators, and behavioral rules that detect the underlying exploitation techniques regardless of which exploit kit uses them.
IOC-Based Rules (7 rules)
Coruna_Namespace_Registration (CRITICAL) -- Detects the globalThis.vKTo89 namespace used to coordinate all 28 Coruna modules.
Coruna_Module_Identifiers (CRITICAL) -- Matches when 2 or more of 9 known module names appear (YGPUu7, KRfmo6, Fq2t1Q, qeqLdN, uOj89n, yAerzw, agTkHY, eOWEVG, OLdwIx).
Coruna_C2_Domain (CRITICAL) -- Matches the hardcoded C2 domain b27.icu.
Coruna_Payload_SHA1_Filenames (CRITICAL) -- Matches any of the 12 known SHA1-named payload files served from b27.icu.
Coruna_Delivery_Infrastructure (HIGH) -- Detects known delivery domains (ai-scorepredict[.]com, fgr1w2gnsdvsb[.]xyz, remotexxxyyy[.]com) and the LaSDK.init() + /51la-ll.js pattern used across watering-hole pages.
Coruna_C2_Response_Fingerprints (CRITICAL) -- Matches PLASMAGRID C2 server response banner hashes.
Coruna_Config_Module_Hashes (CRITICAL) -- Requires 3+ of 13 known internal module hashes.
Behavioral Rules (9 rules)
These detect exploitation techniques used by Coruna and similar browser exploit kits, providing detection even against future variants with different IOCs.
Coruna_XOR_String_Decoding (HIGH) -- Fires when 3+ XOR-encoded string arrays appear in a single file:
// Actual Coruna code (from KRfmo6_166411bd.js)
[28, 26, 12, 73, 26, 29, 27, 0, 10, 29].map(x => {
return String.fromCharCode(x ^ 105);
}).join("")
Coruna_MachO_Parser_In_JavaScript (CRITICAL) -- Our strongest behavioral signal. Legitimate JavaScript has no reason to contain Mach-O magic numbers (0xFEEDFACF) combined with DataView/ArrayBuffer memory access.
Coruna_ARM64_Disassembly_In_JS (CRITICAL) -- ARM64 instruction opcode masks (ADRP: 0x90000000, LDR: 0xF9400000, BLR: 0xD63F0000, RET: 0xD65F03C0) in JavaScript indicate gadget scanning. No legitimate web application contains these constants.
Coruna_WebAssembly_JIT_Exploit (HIGH) -- Detects WebAssembly.Module/Instance combined with typed array memory manipulation, while excluding crypto mining patterns to avoid FPs.
Coruna_NaN_Boxing_Type_Confusion (CRITICAL) -- Detects the memory corruption primitive at the heart of Coruna. NaN-boxing abuses IEEE 754 doubles by creating aliased Float64Array/Uint32Array views over the same buffer:
var f = new Float64Array(1);
var u = new Uint32Array(f.buffer);
// Write a forged pointer via float representation
// Read it back as integers to leak addresses
Also detects references to WebKit internals (JSCell, structureID, butterfly).
Coruna_Exploit_Coordination_Pattern (HIGH) -- Detects globalThis namespace registration + empty error messages throw new Error("") + XOR-encoded strings together.
Coruna_Watering_Hole_Iframe_Injection (HIGH) -- Zero-opacity/offscreen elements combined with iframe creation and analytics-themed paths (/static/analytics.html).
Coruna_Lockdown_Mode_Check (HIGH) -- Lockdown Mode references alongside exploit-context patterns.
Coruna_Generic_Browser_Exploit_Kit (HIGH) -- Composite rule requiring XOR arrays + WebAssembly + typed arrays + BigInt pointer arithmetic + anti-analysis patterns together.
Detection Coverage
| Attack Phase | Rule(s) | Type |
|---|---|---|
| Delivery | Watering_Hole_Iframe_Injection, Delivery_Infrastructure | Behavioral + IOC |
| Payload loading | C2_Domain, Payload_SHA1_Filenames, Config_Module_Hashes | IOC |
| Module coordination | Namespace_Registration, Module_Identifiers, Exploit_Coordination_Pattern | IOC + Behavioral |
| Obfuscation | XOR_String_Decoding | Behavioral |
| Memory corruption | NaN_Boxing_Type_Confusion, WebAssembly_JIT_Exploit | Behavioral |
| Binary parsing | MachO_Parser_In_JavaScript | Behavioral |
| Gadget scanning | ARM64_Disassembly_In_JS | Behavioral |
| Evasion | Lockdown_Mode_Check | Behavioral |
| C2 communication | C2_Domain, C2_Response_Fingerprints | IOC |
How ScanMalware Uses These Rules
Every URL scanned on ScanMalware is checked against over 10 million detection signatures:
- 8,724,583 virus signatures
- 1,501,121 threat intelligence indicators
- 32,040 malware detection rules (including the 16 new Coruna rules)
Beyond the broad signature coverage, JavaScript files go through multiple layers of analysis:
- Runtime behavioral analysis -- Pages are executed in a sandboxed browser while monitoring API calls, code execution patterns, and dynamic payload deployment
- YARA scanning -- 3,600+ rules including the 16 new Coruna rules
- Fuzzy hashing -- Locality-sensitive hashing for detecting code similarity to known malware variants
- Pattern matching -- Behavioral pattern detection with proportional scoring
- Bundle extraction -- De-bundles packed JavaScript for independent module analysis
- ML semantic analysis -- Machine learning models detect malware variants that evade signature-based rules
The new Coruna rules integrate at the YARA scanning layer. Any match triggers an alert in the scan results with the rule name, severity level, and matched strings.
References
- Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit -- Google Cloud Blog (GTIG)
- Coruna: Inside the Nation-State-Grade iOS Exploit Kit We've Been Tracking -- iVerify
- Aye-Coruna: Tracing the iOS Exploit Kit from Ukraine to Iran War Lures -- Validin
- Deobfuscated Coruna Payloads -- matteyeux/coruna (GitHub)
- Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains -- The Hacker News
- Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks -- BleepingComputer
- Rat5ak Coruna Technical Analysis -- Detailed technical breakdown of exploit primitives