PlasmaLoader
PlasmaLoader, also tracked as PLASMAGRID, is a financially motivated iOS malware/stager delivered at the end of the Coruna (aka CryptoWaters) exploit chain. It has been observed in mass exploitation campaigns using fake Chinese gambling, finance, and cryptocurrency websites, as well as in activity attributed to the China-linked financial threat actor UNC6691. After browser-based exploitation of iPhones running vulnerable iOS versions, PlasmaLoader is deployed as an encrypted payload, including as an encrypted .min.js file, and injects into a root-level iOS daemon, specifically powerd, while masquerading with the com.apple.assistd identifier. The malware then deploys a financially focused payload and can retrieve additional modules from external command-and-control infrastructure.
Reported capabilities include decoding QR codes from images, downloading and executing additional modules from C2, and exfiltrating sensitive financial data. The malware targets cryptocurrency wallet data, banking data, backup phrases, and other sensitive information. It has been reported to search text, including Apple Notes/Memos, for BIP39 seed phrases and keywords such as "backup phrase" and "bank account." Targeted applications explicitly mentioned in the reporting include MetaMask, Exodus, Bitget Wallet, Base, and additional cryptocurrency wallet apps; one report states the payload targets 18 wallet applications. Communications are encrypted, and the malware includes hard-coded C2 servers plus a fallback custom domain generation algorithm seeded with the string "lazarus," generating 15-character .xyz domains.
PlasmaLoader is associated with the Coruna exploit kit, which was observed in 2025-2026 across multiple actor ecosystems, including earlier targeted use and later broader criminal monetization. High-confidence indicators and traits mentioned in the content include the aliases PLASMAGRID, injection into the iOS powerd daemon, use of the com.apple.assistd identifier, encrypted .min.js payload delivery, exfiltration from wallet apps such as MetaMask/Exodus/Bitget Wallet/Base, and the DGA seed string "lazarus."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
13 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation.
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation.
The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by executing a pointer authentication code (PAC) bypass. The exploit in question relates to CVE-2024-23222, a type confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.
Sparrow - CVE-2024-23225 (versions 17.0 → 17.3).
buffout - CVE-2021-30952 (versions 13 → 15.1.1) ... CISA, on March 5, 2026, added CVE-2021-30952 ... to its Known Exploited Vulnerabilities catalog following the abuse of the flaws in the Coruna exploit kit.
IronLoader - CVE-2023-32409 (versions 16.0 → 16.3.116.4.0).
Parallax - CVE-2023-41974 (versions 16.4 → 16.7) ... CISA, on March 5, 2026, added ... CVE-2023-41974 ... to its Known Exploited Vulnerabilities catalog following the abuse of the flaws in the Coruna exploit kit.
Rocket - CVE-2024-23296 (versions 17.1 → 17.4).
The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000.
Some of the CVEs exploited by the kit and the corresponding iOS versions they targeted are listed below - Neutron - CVE-2020-27932 (versions 13.x).
The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the last of which is a use-after-free flaw in WebKit. It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
Dynamo - CVE-2020-27950 (versions 13.x).
Version 15.8.7 fixes CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010... Meanwhile, version 16.7.15 patches the WebKit vulnerability CVE-2023-43010.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information, using encrypted communications and a custom domain generation algorithm seeded with "lazarus."
Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information, using encrypted communications and a custom domain generation algorithm seeded with "lazarus."
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe starting point of the attack is when a user visits a compromised website on Safari, causing a stager to fingerprint the browser and serve the appropriate exploit based on the browser and operating system version. | it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine
The Coruna exploit kit, also called CryptoWaters, targets iOS 13.0 through 17.2.1 and includes 23 separate exploits and five exploit chains, affecting Web content, WebKit, and system protections like PAC and PPL.
Execution
2 techniquesIt uses a custom JavaScript framework and loaders to deliver tailored exploits.
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606
Privilege Escalation
3 techniques“At the end of the chain, a stager called PlasmaLoader injects into a root daemon…”
After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher.
The exploit chain goes through six stages ... Escape the Safari browser sandbox ...
Stealth
3 techniquesAt the end of the chain, a stager called PlasmaLoader injects into a root daemon and deploys a financially focused payload.
Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information, using encrypted communications and a custom domain generation algorithm seeded with "lazarus."
Credential Access
1 technique"exfiltrates cryptocurrency wallet data from MetaMask, Exodus, Bitget Wallet, and Base"
Collection
2 techniquesThe malware scans for crypto wallets, backup phrases, and banking data, exfiltrating sensitive information ... DarkSword aims to extract an extensive set of personal information including credentials from the device and specifically targets a plethora of crypto wallet apps
...allowing it to exfiltrate cryptocurrency wallets or sensitive information from various apps like Base, Bitget Wallet, Exodus, and MetaMask...
Command and Control
4 techniquesIt targets numerous cryptocurrency apps, uses encrypted communications, and falls back on a custom domain generation algorithm seeded with “lazarus” to maintain persistence.
UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that's designed to decode QR codes from images and run additional modules retrieved from an external server.
It targets numerous cryptocurrency apps, uses encrypted communications, and falls back on a custom domain generation algorithm seeded with “lazarus” to maintain persistence.
“…falls back on a custom domain generation algorithm seeded with “lazarus” to maintain persistence.”
Exfiltration
2 techniques“The malware scans for crypto wallets, backup phrases, and banking data, exfiltrating sensitive information…”
The malware scans for crypto wallets, backup phrases, and banking data, exfiltrating sensitive information and loading additional modules from command-and-control servers.
IOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Data-stealing malware delivered via fake gambling and cryptocurrency websites as part of a mass exploitation campaign targeting iPhones through the Coruna exploit kit.
A stager/loader used at the end of the Coruna exploitation chain to inject into a root daemon and deploy a payload focused on stealing financial and cryptocurrency-related data.
Final payload associated with the Coruna exploit kit that targets banking data, cryptocurrency wallets, and other sensitive information, and uses encrypted communications plus a custom domain generation algorithm.
Post-exploitation stager/loader that injects into a root daemon and deploys a financially focused payload; supports loading additional modules from C2 infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.