PLASMAGRID

PLASMAGRID is the name used in the provided content for infrastructure associated with the Coruna iOS exploit kit. The reporting cited from Google Threat Intelligence Group (GTIC) and iVerify links PLASMAGRID/Coruna activity to exploitation of iPhone users across iOS 13 through 17.2.1, with Coruna described as containing five exploit chains across 23 exploits and first appearing in February 2025. According to the content, Coruna was initially observed being used by a customer of a surveillance company, later in a July 2025 watering-hole campaign via compromised Ukrainian websites, and subsequently on Chinese scam and crypto-draining sites. The same infrastructure was also linked to new Iran war-themed lure sites, suggesting opportunistic reuse beyond the original surveillance context. The content explicitly notes that the variation in themes and layouts suggests more than one threat actor may be involved. The PLASMAGRID-related infrastructure described in the content includes suspected C2 and delivery domains identified through historical DNS, host response history, and YARA-based retrohunts. Reported traits of suspected PLASMAGRID C2 servers include a 32-byte response on port 443, sometimes also on port 80, and an HTTP banner line of "404 Not Found." The analysis also states that certain Cloudflare banner hashes were relatively unique to PLASMAGRID C2 domains. A known delivery URL, ai-scorepredict[.]com/static/analytics[.]html, reportedly served a dropper page that loaded /51la-ll.js, initialized "LaSDK" with an API endpoint at a suspected C2 domain, and loaded an off-screen iframe to deliver exploit content. YARA-based searching reportedly identified over 200 domains and additional subdomains appearing to deliver the Coruna exploit path, and scanning of iframe indicators found 27 hosts still returning seemingly malicious content, including newly registered Iran-support themed domains. No aliases other than "plasmagrid" are provided in the content.