🇨🇳 CN3 malware familiesExploits CVEs in the wild

UNC6691

Also known asUNC6691

UNC6691 is a financially motivated threat actor assessed to operate from China. Google Threat Intelligence Group (GTIG) identified it as one of the actors using the Coruna iOS exploit kit (also referred to as CryptoWaters) and attributed to it broad-scale campaigns observed in late 2025. UNC6691 deployed Coruna through fake gambling, cryptocurrency, and other Chinese-language finance-themed websites, including clusters of fake Chinese sites that instructed users to visit from an iPhone or iPad and then delivered the exploit kit via hidden iframes. Unlike earlier more targeted Coruna activity, UNC6691 reportedly removed geographic restrictions and spread the kit broadly across more than 50 cryptocurrency scam and Chinese-language websites. The group’s activity is described as financially motivated rather than espionage-focused. GTIG reported that UNC6691 used a Coruna variant with a final payload customized for cryptocurrency theft. Delivered malware, including PlasmaLoader/PLASMAGRID, stole cryptocurrency wallet data from infected devices; reporting also states the payload harvested wallet information and seed phrases from cryptocurrency applications. Supporting reporting links UNC6691 infrastructure and campaigns to fake gambling and crypto lures, Chinese-language finance-themed watering holes, and broad exploitation of vulnerable iOS devices. Known alias in the provided content: unc6691.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics43 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1592×2

Gather Victim Host Information

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1583.006

Web Services

T1587

Develop Capabilities

T1587.001

Malware

TA0001

Initial Access

4 techniques

T1189×14

Drive-by Compromise

T1190×8

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1195.001

Compromise Software Dependencies and Development Tools

T1195.002

Compromise Software Supply Chain

T1566

Phishing

T1566.002

Spearphishing Link

TA0002

Execution

4 techniques

T1059

Command and Scripting Interpreter

T1059.007×2

JavaScript

T1106

Native API

T1203×11

Exploitation for Client Execution

T1204

User Execution

TA0004

Privilege Escalation

3 techniques

T1055×3

Process Injection

T1068×10

Exploitation for Privilege Escalation

T1611×2

Escape to Host

TA0005

Stealth

6 techniques

T1014

Rootkit

T1027×5

Obfuscated Files or Information

T1036

Masquerading

T1055×3

Process Injection

T1070

Indicator Removal

T1497×3

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0006

Credential Access

2 techniques

T1555×2

Credentials from Password Stores

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

2 techniques

T1082×3

System Information Discovery

T1497×3

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0009

Collection

2 techniques

T1005

Data from Local System

T1213×2

Data from Information Repositories

TA0011

Command and Control

3 techniques

T1071×2

Application Layer Protocol

T1071.001×3

Web Protocols

T1105×4

Ingress Tool Transfer

T1568×3

Dynamic Resolution

T1568.002×4

Domain Generation Algorithms

TA0010

Exfiltration

3 techniques

T1020

Automated Exfiltration

T1041

Exfiltration Over C2 Channel

T1567

Exfiltration Over Web Service

T1567.002

Exfiltration to Cloud Storage

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

CorunaThat domain redirects to the watering hole at utaq[.]cfww[.]shop/gooll/gooll.html, which embeds the Coruna exploit kit delivery framework analyzed in this report.20May 21, 2026

PlasmaLoaderIts final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information, using encrypted communications and a custom domain generation algorithm seeded with "lazarus."5Mar 13, 2026

PLASMAGRIDA custom implant called PLASMAGRID that injects into four system processes simultaneously, harvests cryptocurrency wallet seed phrases from nineteen different apps, and communicates through a domain generation algorithm seeded with the string "lazarus."1Apr 25, 2026

WEAPONIZED

Associated vulnerabilities

13 CVEs this actor has used in observed campaigns. 13 of them exploited in the wild.

CVE-2024-23222WebKit Type Confusion Remote Code ExecutionIn the wildEvidence14

iOS 16.6–17.2 ( JtEUci ) — Coruna cassowary (CVE-2024-23222, fixed 17.3)

CVE-2023-43000WebKit Use-After-Free in Apple Safari, iOS, iPadOS, and macOSIn the wildEvidence12

iOS 16.2–16.5 ( KeCRDQ ) — Coruna terrorbird (CVE-2023-43000, fixed 16.6)

CVE-2021-30952Apple Multiple Products Integer Overflow or Wraparound VulnerabilityIn the wildEvidence10

iOS 11.0–15.1 ( mmrZ0r ) — Coruna buffout (CVE-2021-30952, fixed 15.2) and jacurutu (CVE-2022-48503, fixed 15.6)

CVE-2023-32434Kernel privilege escalation via integer overflow in Apple iOS/watchOS/macOSIn the wildEvidence9

Stage 3 : Kernel privilege escalation through CVE-2023-32434, CVE-2023-38606, or CVE-2023-41974 achieves root and deploys the PLASMAGRID implant.

CVE-2023-41974Parallax kernel use-after-free in Apple iOS and iPadOSIn the wildEvidence9

Stage 3 : Kernel privilege escalation through CVE-2023-32434, CVE-2023-38606, or CVE-2023-41974 achieves root and deploys the PLASMAGRID implant.

8 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

183 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

183 IOCsView more in app

Domains

89 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+81

hash.sha1

46 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+38

uri

19 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+11

hash.sha256

18 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+10

ip.v4

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

hash.md5

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

socket blogNews

May 20, 2026

Coruna Respawned: Compromised art-template npm Package Leads...

Assessed as the likely operator linked to this campaign using a Coruna-like iOS exploit delivery framework via a compromised npm package and watering-hole infrastructure, with deployment patterns aligned to bulk scam and Chinese-language website operations.

breakglass intelNews

Apr 2, 2026

PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

Using the proliferated Coruna iOS exploit kit and PLASMAGRID implant for financially motivated operations, including Chinese-language gambling watering holes and cryptocurrency wallet theft.

security affairsNews

Mar 26, 2026

Coruna exploit reveals evolution of Triangulation iOS exploitation framework

A Chinese financial threat actor observed using the Coruna iOS exploit kit in broad-scale attacks, illustrating reuse of advanced second-hand zero-day exploit capabilities.

dark readingNews

Mar 26, 2026

Coruna, DarkSword & Democratizing Nation-State Exploit Kits

Chinese threat cluster that modified Coruna by removing geographic restrictions and deploying it broadly via cryptocurrency scam sites for financial theft.

+22 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping35

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs13

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables183

Domains, IPs, and hashes tied to this actor, refreshed continuously.