PLASMAGRID
PLASMAGRID is a custom iOS implant associated with the Coruna exploit kit. It has been observed deployed via watering-hole sites served through hidden iframes as part of exploit chains targeting iOS 13.0 through 17.2.1. Reporting cited in the content links active use of Coruna/PLASMAGRID to multiple actors, including UNC6691, described as Chinese and financially motivated, and UNC6353, described as suspected Russian and targeting Ukraine; Coruna was also initially seen in use by a customer of a surveillance company. PLASMAGRID masquerades as com.apple.assistd, injects into four system processes simultaneously—powerd, locationd, imagent, and SpringBoard—and harvests cryptocurrency wallet seed phrases from 19 different apps. It communicates using a domain generation algorithm seeded with the string "lazarus" to produce 15-character alphanumeric .xyz C2 domains. Known PLASMAGRID-related domains mentioned in the content include aidm8it5hf1jmtj[.]xyz, uawwydy3qas6ykv[.]xyz, 8fn4957c5g986jp[.]xyz, vvri8ocl4t3k8n6[.]xyz, and rlau616jc7a7f7i[.]xyz; aidm8it5hf1jmtj[.]xyz was identified as the primary C2 domain. Additional suspected C2 traits included Cloudflare-fronted infrastructure, distinctive 404 banners, and Cloudflare banner hashes e3bc53583ac3a7fcd2ee923dce3fe280 and 017c7b48a9b05e13f67e1395b3b0d774. Payloads were delivered in a custom F00DBEEF container format encrypted with ChaCha20 and compressed with LZMA using a custom 0x0BEDF00D header. Delivery infrastructure included watering-hole domains such as b27[.]icu and iphonex[.]mjdqw[.]cn, which used zero-pixel iframes to load group.html or analytics.html and begin a multi-layer JavaScript obfuscation chain for fingerprinting and exploit delivery. Behavioral and forensic indicators explicitly mentioned include the bundle ID com.apple.assistd, the artifact /private/var/mobile/Library/Preferences/com.apple.photolibraryd.plist, a launchd error referencing com.plasma.springboard.ipc, and HTTP headers sdkv and x-ts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
12 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Stage 3 : Kernel privilege escalation through CVE-2023-32434, CVE-2023-38606, or CVE-2023-41974 achieves root and deploys the PLASMAGRID implant. | A custom implant called PLASMAGRID that injects into four system processes simultaneously, harvests cryptocurrency wallet seed phrases from nineteen different apps, and communicates through a domain generation algorithm seeded with the string "lazarus."
Stage 3 : Kernel privilege escalation through CVE-2023-32434, CVE-2023-38606, or CVE-2023-41974 achieves root and deploys the PLASMAGRID implant. | A custom implant called PLASMAGRID that injects into four system processes simultaneously, harvests cryptocurrency wallet seed phrases from nineteen different apps, and communicates through a domain generation algorithm seeded with the string "lazarus."
A custom implant called PLASMAGRID that injects into four system processes simultaneously, harvests cryptocurrency wallet seed phrases from nineteen different apps, and communicates through a domain generation algorithm seeded with the string "lazarus." | Stage 3 : Kernel privilege escalation through CVE-2023-32434, CVE-2023-38606, or CVE-2023-41974 achieves root and deploys the PLASMAGRID implant.
On March 5, 2026, two things happened simultaneously: CISA added CVE-2021-30952 and CVE-2023-43000 (both exploited by Coruna chains) to the Known Exploited Vulnerabilities catalog.
CVEs Exploited by Coruna CVE-2020-27932 CVE-2020-27950 CVE-2021-30952 CVE-2022-48503 CVE-2023-32409 CVE-2023-32434 CVE-2023-38606 CVE-2023-41974 CVE-2023-43000 CVE-2024-23222 CVE-2024-23225 CVE-2024-23296
CVEs Exploited by Coruna CVE-2020-27932 CVE-2020-27950 CVE-2021-30952 CVE-2022-48503 CVE-2023-32409 CVE-2023-32434 CVE-2023-38606 CVE-2023-41974 CVE-2023-43000 CVE-2024-23222 CVE-2024-23225 CVE-2024-23296
CVEs Exploited by Coruna CVE-2020-27932 CVE-2020-27950 CVE-2021-30952 CVE-2022-48503 CVE-2023-32409 CVE-2023-32434 CVE-2023-38606 CVE-2023-41974 CVE-2023-43000 CVE-2024-23222 CVE-2024-23225 CVE-2024-23296
Stage 1 : A WebKit JIT type confusion exploit (CVE-2024-23222 for iOS 16.6-17.2.1, CVE-2023-43000 for 16.2-16.5.1, or CVE-2022-48503 for older versions) achieves initial code execution in the browser renderer process.
Stage 1 : A WebKit JIT type confusion exploit (CVE-2024-23222 for iOS 16.6-17.2.1, CVE-2023-43000 for 16.2-16.5.1, or CVE-2022-48503 for older versions) achieves initial code execution in the browser renderer process.
CVEs Exploited by Coruna CVE-2020-27932 CVE-2020-27950 CVE-2021-30952 CVE-2022-48503 CVE-2023-32409 CVE-2023-32434 CVE-2023-38606 CVE-2023-41974 CVE-2023-43000 CVE-2024-23222 CVE-2024-23225 CVE-2024-23296
Stage 1 : A WebKit JIT type confusion exploit (CVE-2024-23222 for iOS 16.6-17.2.1, CVE-2023-43000 for 16.2-16.5.1, or CVE-2022-48503 for older versions) achieves initial code execution in the browser renderer process.
CVEs Exploited by Coruna CVE-2020-27932 CVE-2020-27950 CVE-2021-30952 CVE-2022-48503 CVE-2023-32409 CVE-2023-32434 CVE-2023-38606 CVE-2023-41974 CVE-2023-43000 CVE-2024-23222 CVE-2024-23225 CVE-2024-23296
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A custom implant called PLASMAGRID that injects into four system processes simultaneously, harvests cryptocurrency wallet seed phrases from nineteen different apps, and communicates through a domain generation algorithm seeded with the string "lazarus."
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesGTIG and iVerify published comprehensive analyses of the Coruna kit in early March 2026. Their reporting established the core facts: the exploit kit contains 23 exploits organized into five chains ... and deploys the PLASMAGRID implant through watering hole sites served via hidden iframes. | Both watering holes use the same delivery mechanism: a zero-pixel iframe loading either group.html or analytics.html, which begins the four-layer JavaScript obfuscation chain leading to device fingerprinting and exploit delivery.
Stage 1 : A WebKit JIT type confusion exploit (CVE-2024-23222 for iOS 16.6-17.2.1, CVE-2023-43000 for 16.2-16.5.1, or CVE-2022-48503 for older versions) achieves initial code execution in the browser renderer process.
Execution
1 techniqueThe exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606
Privilege Escalation
3 techniquesThe implant registers itself as com.apple.assistd ... and injects into four processes simultaneously: powerd ... locationd ... imagent ... SpringBoard
Stage 3 : Kernel privilege escalation through CVE-2023-32434, CVE-2023-38606, or CVE-2023-41974 achieves root and deploys the PLASMAGRID implant.
The exploit chain goes through six stages ... Escape the Safari browser sandbox ...
Stealth
4 techniquesThe implant registers itself as com.apple.assistd -- masquerading as an Apple system service -- and injects into four processes simultaneously.
The implant registers itself as com.apple.assistd ... and injects into four processes simultaneously: powerd ... locationd ... imagent ... SpringBoard
The evasion logic checks for Lockdown Mode using two independent methods (IndexDB and MathML), detects Corellium VMs by checking for /usr/libexec/corelliumd, and cleans crash logs after exploitation.
Credential Access
1 technique"exfiltrates cryptocurrency wallet data from MetaMask, Exodus, Bitget Wallet, and Base"
Discovery
1 techniqueCollection
1 technique...allowing it to exfiltrate cryptocurrency wallets or sensitive information from various apps like Base, Bitget Wallet, Exodus, and MetaMask...
Command and Control
4 techniquesPLASMAGRID's C2 resilience depends on a domain generation algorithm seeded with the string "lazarus" that produces 15-character alphanumeric domains under the .xyz TLD.
UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that's designed to decode QR codes from images and run additional modules retrieved from an external server.
PLASMAGRID's C2 resilience depends on a domain generation algorithm seeded with the string "lazarus" that produces 15-character alphanumeric domains under the .xyz TLD.
"The C2 domains (the 27 DGA-generated .xyz domains)... short-lived, algorithmically generated fallback domains"
Exfiltration
1 technique[PLASMAGRID] decodes QR codes from images, fetches additional modules from C2, and exfiltrates cryptocurrency wallet data from MetaMask, Exodus, Bitget Wallet, and Base.
IOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom iOS implant deployed by Coruna that gains persistent privileged access, injects into multiple system processes, steals cryptocurrency wallet seed phrases, communicates via DGA-based C2, and supports data collection and monitoring.
Label used for the command-and-control (C2) infrastructure cluster associated with Coruna activity, identified via historic DNS pivots and distinctive HTTP response/banner-hash fingerprints (often behind Cloudflare).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.