PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown
UNC6691 delivers iOS implants through Chinese gambling watering holes — 4 of 5 DGA domains seized the same day CISA added the CVEs to KEV
iOS exploit kits do not show up in your threat feed. They are not commodity malware. They do not get sold on Telegram for $200. They get developed by defense contractors, deployed by intelligence agencies, and -- when they leak -- fought over by the handful of threat actors capable of operationalizing them.
Coruna is one of those kits. Twenty-three exploits. Five full exploit chains. Coverage from iOS 13.0 through 17.2.1. A custom implant called PLASMAGRID that injects into four system processes simultaneously, harvests cryptocurrency wallet seed phrases from nineteen different apps, and communicates through a domain generation algorithm seeded with the string "lazarus." Google's Threat Intelligence Group estimates 42,000 iOS devices compromised. The kit's suspected origin is a U.S. defense contractor.
This is the story of how a single passive DNS detection led us through DGA domains batch-registered in Singapore, six compartmentalized Cloudflare accounts, live Chinese gambling watering holes with TikTok advertising pixels, and a coordinated law enforcement takedown that seized four of five C2 domains on the same day CISA added three CVEs to the Known Exploited Vulnerabilities catalog -- and deliberately left one standing.
It Started With a Tweet
On March 28, QAX XLab researcher @TuringAlex shared passive DNS findings on X: a cluster of domains matching known Coruna DGA patterns, resolving through infrastructure that included the IP 36[.]59[.]25[.]213. The PDNS data connected to research XLab had been conducting on the DGA algorithm embedded in the PLASMAGRID implant.
We pulled the thread.
The IP itself turned out to be a dead end for C2 attribution -- 36[.]59[.]25[.]213 resolves to China Telecom's Anhui province residential block. No services detected on scan. This is a victim device or a compromised relay in the exfiltration chain, not command infrastructure. But the DGA domains @TuringAlex flagged were real, and they had stories to tell.
What Was Already Known
Before detailing our findings, it is important to establish what the security community had already documented.
Google's Threat Intelligence Group and iVerify published comprehensive analyses of the Coruna kit in early March 2026. Their reporting established the core facts: the exploit kit contains 23 exploits organized into five chains (jacurutu, terrorbird, cassowary, seedbell variants, and VariantB), targets iOS 13 through 17.2.1, and deploys the PLASMAGRID implant through watering hole sites served via hidden iframes. CyberScoop reported that code comments suggested a U.S.-based developer, with Rocky Cole of iVerify noting "insider jokes" consistent with American engineering culture. The NSA declined to comment. GTIG identified three threat actor groups using the proliferated kit: a commercial surveillance vendor customer, UNC6353 (suspected Russian, targeting Ukraine), and UNC6691 (Chinese, financially motivated).
What the public reporting did not include was granular infrastructure analysis. The DGA domains were mentioned as examples, not mapped. The watering holes were described generically as "fake finance sites." Registration patterns, Cloudflare account compartmentalization, and the takedown timeline were not detailed.
That is where we started.
The DGA Domains Nobody Could Crack
PLASMAGRID's C2 resilience depends on a domain generation algorithm seeded with the string "lazarus" that produces 15-character alphanumeric domains under the .xyz TLD. Five such domains appeared in certificate transparency logs and prior reporting:
- aidm8it5hf1jmtj[.]xyz
- uawwydy3qas6ykv[.]xyz
- 8fn4957c5g986jp[.]xyz
- vvri8ocl4t3k8n6[.]xyz
- rlau616jc7a7f7i[.]xyz
We attempted to reconstruct the algorithm. Standard approaches -- SHA256, MD5, and HMAC with counter-based and date-based seeds, using "lazarus" as the key -- did not reproduce the known domains. The DGA is not a textbook implementation. It is a custom PRNG embedded in the Mach-O arm64 implant binary, and without reversing that binary, the full domain space remains unknown.
What we could do was pull WHOIS data on every known DGA domain. And that data told us more than the algorithm itself would have.
Batch Registration: December 11-13, 2025
All five DGA domains trace back to a two-week window of infrastructure preparation:
Batch 1 -- December 11-13, 2025 (Gname.com Pte. Ltd., Singapore):
- aidm8it5hf1jmtj[.]xyz -- registered Dec 11
- uawwydy3qas6ykv[.]xyz -- registered Dec 11
- 8fn4957c5g986jp[.]xyz -- registered Dec 13
- rlau616jc7a7f7i[.]xyz -- registered Dec 13
Batch 2 -- January 6, 2026 (Name.com):
- vvri8ocl4t3k8n6[.]xyz -- registered Jan 6
Four domains through one registrar in a two-day window, then a fifth through a completely different registrar three weeks later. This is pre-positioning: the DGA domains were registered weeks before certificates were issued (February 10-11) and months before operational use. The gap between Batch 1 and Batch 2, and the registrar change, suggests either a second operator, a deliberate compartmentalization strategy, or a test registration through a different purchasing flow.
The b27[.]icu watering hole domain was also registered through Gname.com Singapore, linking UNC6691's DGA C2 infrastructure and watering hole operations under the same purchasing pipeline.
Six Cloudflare Accounts
Each domain group routes through a different Cloudflare nameserver pair. In Cloudflare's architecture, distinct NS pairs indicate distinct accounts. Across UNC6691's infrastructure, we identified six:
| Account | NS Pair | Domains |
|---|---|---|
| A | imani/matias | tjbjdod[.]cn (exploit delivery) |
| B | marissa/alberto | mjdqw[.]cn (lure hosting) |
| C | cecelia/kai | aidm8it5hf1jmtj[.]xyz, uawwydy3qas6ykv[.]xyz |
| D | javier/sarah | 8fn4957c5g986jp[.]xyz |
| E | dara/tanner | rlau616jc7a7f7i[.]xyz |
| F | beth/craig | vvri8ocl4t3k8n6[.]xyz (Batch 2 outlier) |
Six accounts for approximately ten domains. This is not someone who forgot their Cloudflare password. This is operational compartmentalization -- if one account gets burned by an abuse report or law enforcement request, the others continue operating. It is a pattern we associate with actors who have been through takedowns before and adapted.
Note that Account C serves the two DGA domains registered on the same day (Dec 11), while Accounts D and E each hold a single domain from Dec 13. Account F holds the January outlier from the different registrar. The compartmentalization mirrors the registration batches.
The Certificate Timeline
Certificate transparency logs revealed a simultaneous infrastructure standup on February 10-11, 2026:
| Domain | Issuer | Date |
|---|---|---|
| aidm8it5hf1jmtj[.]xyz | Let's Encrypt R13 + Google Trust WE1 | Feb 10 |
| uawwydy3qas6ykv[.]xyz | Let's Encrypt R12 + Google Trust WE1 | Feb 10 |
| 8fn4957c5g986jp[.]xyz | Let's Encrypt R12 + Google Trust WE1 | Feb 11 |
Every DGA domain received certificates from two different certificate authorities on the same day. Dual-CA issuance is not standard practice for legitimate sites or even most malware operations. It is a redundancy measure: if one CA revokes, the other still provides valid TLS. Combined with the batch registration pattern and Cloudflare compartmentalization, this reflects an operator who plans for disruption.
The delivery infrastructure followed a staggered timeline: tjbjdod[.]cn received Let's Encrypt and Sectigo certificates in mid-February, mjdqw[.]cn got ZeroSSL and Google Trust certs in late February and early March, and the mijieqi[.]cn subdomains rotated DigiCert certificates in March. Active infrastructure management across multiple CA relationships.
March 5, 2026: The Coordinated Takedown
On March 5, 2026, two things happened simultaneously:
- CISA added CVE-2021-30952 and CVE-2023-43000 (both exploited by Coruna chains) to the Known Exploited Vulnerabilities catalog
- Four of five DGA domains were placed on serverHold by their registrars
The seized domains:
- uawwydy3qas6ykv[.]xyz -- serverHold
- 8fn4957c5g986jp[.]xyz -- serverHold
- vvri8ocl4t3k8n6[.]xyz -- serverHold
- rlau616jc7a7f7i[.]xyz -- serverHold
CISA does not add CVEs to KEV on the same day registrars seize associated domains by accident. KEV additions are a policy action -- they compel federal agencies to patch. Domain seizures require legal process or registrar abuse complaints. When both happen on the same calendar day targeting the same exploit kit, that is coordination between U.S. government agencies and domain registrars, likely facilitated through law enforcement channels.
CVE-2023-41974 was added to KEV two days later on March 7, suggesting a rolling disclosure or a parallel process that completed slightly later.
The Domain That Survived
One DGA domain was not seized: aidm8it5hf1jmtj[.]xyz.
This is the domain iVerify identified as the primary PLASMAGRID C2. It was registered on the same day (Dec 11), through the same registrar (Gname.com Singapore), and shares a Cloudflare account (cecelia/kai) with uawwydy3qas6ykv[.]xyz -- which was seized. Yet as of this writing, aidm8it5hf1jmtj[.]xyz has no A record but is not on serverHold. It remains in a liminal state: not active, not seized.
Three possibilities:
- Administrative oversight: The takedown request listed four domains and missed the fifth. Possible but unlikely given that this is the most prominent one in public reporting.
- Law enforcement monitoring position: The domain was deliberately excluded from seizure to maintain a collection point. Implants attempting to reach this domain would reveal active infections. This is a standard technique in botnet disruptions.
- Different operator compartment: The Batch 2 outlier (vvri8ocl4t3k8n6[.]xyz, registered via Name.com) was seized despite coming from a different registrar, so registrar differences alone do not explain the exception.
We assess option 2 as most likely. When you seize four of five C2 domains and leave the primary one standing, you are probably watching it.
The Watering Holes: Still Live
While the DGA C2 infrastructure has been substantially disrupted, UNC6691's watering hole delivery infrastructure remains operational.
b27[.]icu serves a fully functional Chinese gambling site branded as "7P.GAME," hosted on AWS CloudFront (distribution d35oc5m182mh0p). The site is iOS-optimized -- it is built to attract mobile users. Embedded in the page source is a TikTok advertising pixel with the ID D4N9LFRC77U7MI8IOO10. UNC6691 is running paid TikTok advertisements to drive traffic to a watering hole that delivers a nation-state exploit kit. The pixel links to a specific TikTok Ads Manager account, which constitutes an additional attribution vector.
The target demographic is telling. Chinese-language gambling sites attract a specific user profile: individuals with disposable income, comfort with mobile payments and cryptocurrency, and a willingness to use unregulated platforms. These are precisely the users most likely to have cryptocurrency wallets on their phones -- and PLASMAGRID's 19 wallet-targeting modules are built to empty them.
iphonex[.]mjdqw[.]cn presents as a "Global Beauty Ranking" -- a social engineering lure designed to attract clicks from Chinese social media. The domain resolves through Cloudflare (Account B) and serves iOS-targeted content. Both watering holes use the same delivery mechanism: a zero-pixel iframe loading either group.html or analytics.html, which begins the four-layer JavaScript obfuscation chain leading to device fingerprinting and exploit delivery.
Inside the Kill Chain
For devices that pass fingerprinting (not in Lockdown Mode, not private browsing, not running on a Corellium VM), the exploit chain unfolds in three stages:
Stage 1: A WebKit JIT type confusion exploit (CVE-2024-23222 for iOS 16.6-17.2.1, CVE-2023-43000 for 16.2-16.5.1, or CVE-2022-48503 for older versions) achieves initial code execution in the browser renderer process.
Stage 2: PAC bypass and ASLR defeat variants (the "seedbell" family) escape the Safari sandbox.
Stage 3: Kernel privilege escalation through CVE-2023-32434, CVE-2023-38606, or CVE-2023-41974 achieves root and deploys the PLASMAGRID implant.
The implant registers itself as com.apple.assistd -- masquerading as an Apple system service -- and injects into four processes simultaneously:
| Process | Privilege | Purpose |
|---|---|---|
| powerd | root | Persistence, primary HTTP C2 |
| locationd | location services | Data collection orchestration |
| imagent | iMessage access | Backup C2 channel via iMessage |
| SpringBoard | UI layer | User interaction monitoring |
Thread names in the injected processes (plasma_supervisor, plasma_unified_dispatcher, plasma_heartbeat_monitor) provide forensic detection opportunities for incident responders with access to device internals.
The F00DBEEF Container
Payloads are delivered through a custom container format with the magic bytes 0xF00DBEEF. The encryption pipeline wraps four layers around each payload:
- Outer layer: ChaCha20 encryption using Daniel J. Bernstein's original specification (not the IETF RFC 8439 variant) -- 64-bit block counter, 64-bit zero nonce, 20 rounds
- Compression: LZMA via Apple's
compression_decode_bufferwith a custom header (magic 0x0BEDF00D) - Container: F00DBEEF format with typed segments (0x08 for implant, 0x09 for kernel exploit, 0x0f for persistence, 0x0a for module)
- Payload: Mach-O arm64/arm64e dylibs -- 65+ individual libraries across 19 payload bundles
Each file in the manifest has a unique per-file ChaCha20 key. The master key (b38fd1...e676) decrypts the manifest, which contains individual keys for each component. This means intercepting a single payload does not provide the key to decrypt others. Defense-in-depth, applied to offense.
The Bigger Picture: Proliferation
Coruna did not start as a Chinese crypto theft operation. The exploit kit's journey -- from suspected U.S. defense contractor origin to a commercial surveillance vendor, to Russian espionage operations targeting Ukraine (UNC6353 via cdn[.]uacounter[.]com), to UNC6691's gambling-site-driven cryptocurrency theft -- represents the lifecycle of a high-end offensive capability once it escapes controlled distribution.
The code quality reflects its origins. Exploit chain names follow a bird/nature theme (terrorbird, cassowary, seedbell). The internal architecture separates concerns cleanly across 65+ libraries. The evasion logic checks for Lockdown Mode using two independent methods (IndexDB and MathML), detects Corellium VMs by checking for /usr/libexec/corelliumd, and cleans crash logs after exploitation. This is professional-grade software.
Three Chinese registrants with attributable email addresses -- sakubi777@gmail[.]com (刘起铭), lsin62059@gmail[.]com (孟德发), and mijie0501@163[.]com (谢乐乐) -- are associated with the delivery and C2 domains. The TikTok ads pixel, Chinese-language HTML comments in watering hole source code, and .cn delivery domains all point to UNC6691 operating from mainland China. But UNC6691 did not build this kit. They acquired it -- through the leak, through a broker, or through the source code that remains publicly available on GitHub.
The uncomfortable truth is that a tool built for targeted surveillance is now being used for mass financial crime, and the watering holes are still serving exploits.
Indicators of Compromise
DGA C2 Domains
aidm8it5hf1jmtj[.]xyz
uawwydy3qas6ykv[.]xyz
8fn4957c5g986jp[.]xyz
vvri8ocl4t3k8n6[.]xyz
rlau616jc7a7f7i[.]xyz
Delivery and Watering Hole Domains
b27[.]icu
mxbc-v2[.]tjbjdod[.]cn
iphonex[.]mjdqw[.]cn
sadjd[.]mijieqi[.]cn
datart[.]mijieqi[.]cn
backend-new[.]mijieqi[.]cn
idr-mayaramp-proxy[.]mijieqi[.]cn
cdn[.]uacounter[.]com
IP Addresses
| IP | Role | Provider |
|---|---|---|
| 129[.]226[.]92[.]243 | Primary C2 (DOWN) | Tencent Cloud |
| 95[.]214[.]181[.]109 | Bulletproof hosting node | IPXO/Netutils |
| 36[.]59[.]25[.]213 | Victim/relay (NOT C2) | China Telecom Anhui |
| 99[.]86[.]240[.]31/58/70/84 | Watering hole CDN | AWS CloudFront |
| 104[.]21[.]48[.]214 | Delivery proxy | Cloudflare |
| 172[.]67[.]137[.]122 | Delivery proxy | Cloudflare |
| 188[.]114[.]96[.]0 | Lure site proxy | Cloudflare |
| 188[.]114[.]97[.]0 | Lure site proxy | Cloudflare |
Registrant Email Addresses
sakubi777@gmail[.]com
lsin62059@gmail[.]com
mijie0501@163[.]com
File Indicators
| Indicator | Value |
|---|---|
| Manifest hash (SHA1) | 7a7d99099b035b2c6512b6ebeeea6df1ede70fbb |
| Master ChaCha20 key | b38fd1ccd6570d8b3ce8edabd740e60d97e93a44fb27b35f2c54c473a37ce676 |
| Deployment salt | cf40de81867d2397 |
| LPE module (SHA1) | bb33ae77f4c7e8858cdb9c91985c46d58b28c0e0 |
| Stage 2 powerd (SHA1) | 73b26374b1c8df29c163775c2cd1f735ff6acd56 |
| LocationD payload (SHA256) | 3ef82e94d38bbc44626f3821db9eda2ea636c1ae413d8890b752bd965acd2c6e |
| SpringBoard module (SHA256) | 73390742eba6f7a85d894f961efa77272fbaceb91a278efcad4f497612c02699 |
Behavioral Detection
| Indicator | Value |
|---|---|
| Bundle ID | com.apple.assistd |
| Forensic artifact | /private/var/mobile/Library/Preferences/com.apple.photolibraryd.plist |
| Temp files | /private/var/tmp/pl.sp.exec.guard.lock, /private/var/tmp/upgrade.dylib |
| Launchd error | "failed lookup: name = com.plasma.springboard.ipc" |
| Thread names | plasma_supervisor, plasma_unified_dispatcher, plasma_heartbeat_monitor |
| HTTP headers | sdkv, x-ts |
| C2 paths | /details/show.html, /details/[component].js |
| Container magic | 0xF00DBEEF |
| LZMA header magic | 0x0BEDF00D |
| TikTok pixel | D4N9LFRC77U7MI8IOO10 |
CVEs Exploited by Coruna
CVE-2020-27932 CVE-2020-27950 CVE-2021-30952
CVE-2022-48503 CVE-2023-32409 CVE-2023-32434
CVE-2023-38606 CVE-2023-41974 CVE-2023-43000
CVE-2024-23222 CVE-2024-23225 CVE-2024-23296
Takeaways
For defenders: Block the DGA pattern (15-character alphanumeric .xyz domains) at DNS. Monitor for sdkv and x-ts HTTP headers in outbound traffic. On managed iOS devices, check for the com.apple.photolibraryd.plist artifact and launchd failures referencing com.plasma.springboard.ipc. Enable Lockdown Mode on high-value devices -- the exploit chain explicitly skips them. Update to iOS 17.3 or later.
For threat intelligence: The DGA domains' WHOIS and certificate transparency data provide more operational insight than the algorithm itself. Batch registration dates, registrar selection, Cloudflare account compartmentalization, and dual-CA certificate issuance are behavioral signatures that can be tracked for future infrastructure standup, even if the DGA output changes. Monitor Gname.com Singapore registrations for 15-character .xyz domains.
For the broader community: The watering holes at b27[.]icu and iphonex[.]mjdqw[.]cn remain live and serving content as of publication. The TikTok ads driving traffic to b27[.]icu are presumably still running. The source code for the exploit kit remains on GitHub. Four of five DGA domains have been seized, but the implant code is public and the delivery infrastructure is partially operational. This is not over.
This investigation was triggered by PDNS research shared by @TuringAlex (QAX XLab). Infrastructure analysis, WHOIS correlation, certificate transparency mapping, and watering hole verification were produced by Breakglass Intelligence's autonomous GHOST investigation system. Prior reporting from Google Threat Intelligence Group, iVerify, and CyberScoop provided the foundational analysis of the Coruna exploit kit and PLASMAGRID implant. All evidence was captured via passive and semi-passive methods.
Breakglass Intelligence | April 2026