Tox
1 totalFA21E360945F602504728A05A39758C38B6A5B5DA1969717AF05838D14FDCD3DE17455833F11
INSOMNIA is an iOS spyware implant associated with China-linked espionage activity targeting Uyghur activists, journalists, and dissidents.
Profile source: Mallory opens in a new tabINSOMNIA
INSOMNIA is an iOS spyware implant associated with China-linked espionage activity targeting Uyghur activists, journalists, and dissidents. Reporting links its deployment to the threat actor tracked as Earth Empusa / Evil Eye, and Volexity assessed it was likely the same group behind earlier iOS implant exploitation described by Google Project Zero. The malware was delivered via malicious JavaScript and a WebKit-based exploit chain served from compromised or look-alike Uyghur- and Turkish-themed websites in watering-hole attacks. Volexity reported the exploit worked against iOS 12.3, 12.3.1, and 12.3.2, and that the exploited vulnerability appeared patched in iOS 12.4. If exploitation succeeded, a Mach-O payload wrote the implant to /tmp/updateserver and executed it with elevated entitlements as root; Volexity noted the implant lacked a persistence mechanism.
Observed capabilities include collection of the device phone number, ICCID, IMEI, active network interface, device name, serial number, iOS version, total and free disk space, contact list, SMS messages, iMessages, call history, device photos, and application database files and third-party app container directories, including Gmail and Hangouts data. Volexity also reported the updated implant targeted data from Signal, ProtonMail, and WeChat. INSOMNIA communicates with command-and-control infrastructure over HTTPS requests, and the updated version validated its C2 using an embedded certificate and refused to operate if validation failed. Reported infrastructure and delivery indicators include exploit delivery via cdn.doublesclick[.]me and malicious JavaScript observed on strunhvgpk[.]com, with related infrastructure including sslportservices[.]com.
Ransomware.live
Ransomware.live
FA21E360945F602504728A05A39758C38B6A5B5DA1969717AF05838D14FDCD3DE17455833F11Ransomware.live
Reported operators
If the exploit is successful, a new version of the implant described by Google will be installed onto the device. Volexity refers to this implant by the name INSOMNIA.
"...contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised."
MITRE ATT&CK
Reporting
Other recent data breaches resulting from ransomware attacks on healthcare providers include: Southern Illinois Dermatology reported a November 2025 data breach claimed by Insomnia
INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.
INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.
INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.
"...contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised."
If the exploit is successful, a new version of the implant described by Google will be installed onto the device. Volexity refers to this implant by the name INSOMNIA.
INSOMNIA can retrieve SMS messages and iMessages.
INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.