Skip to content
Ransomware group

INSOMNIA

INSOMNIA is an iOS spyware implant associated with China-linked espionage activity targeting Uyghur activists, journalists, and dissidents.

Profile source: Mallory opens in a new tab

INSOMNIA

Family profile

INSOMNIA is an iOS spyware implant associated with China-linked espionage activity targeting Uyghur activists, journalists, and dissidents. Reporting links its deployment to the threat actor tracked as Earth Empusa / Evil Eye, and Volexity assessed it was likely the same group behind earlier iOS implant exploitation described by Google Project Zero. The malware was delivered via malicious JavaScript and a WebKit-based exploit chain served from compromised or look-alike Uyghur- and Turkish-themed websites in watering-hole attacks. Volexity reported the exploit worked against iOS 12.3, 12.3.1, and 12.3.2, and that the exploited vulnerability appeared patched in iOS 12.4. If exploitation succeeded, a Mach-O payload wrote the implant to /tmp/updateserver and executed it with elevated entitlements as root; Volexity noted the implant lacked a persistence mechanism.

Observed capabilities include collection of the device phone number, ICCID, IMEI, active network interface, device name, serial number, iOS version, total and free disk space, contact list, SMS messages, iMessages, call history, device photos, and application database files and third-party app container directories, including Gmail and Hangouts data. Volexity also reported the updated implant targeted data from Signal, ProtonMail, and WeChat. INSOMNIA communicates with command-and-control infrastructure over HTTPS requests, and the updated version validated its C2 using an embedded certificate and refused to operate if validation failed. Reported infrastructure and delivery indicators include exploit delivery via cdn.doublesclick[.]me and malicious JavaScript observed on strunhvgpk[.]com, with related infrastructure including sslportservices[.]com.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Tox

1 total
  • FA21E360945F602504728A05A39758C38B6A5B5DA1969717AF05838D14FDCD3DE17455833F11

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

2 named in public reporting
Evil Eye

If the exploit is successful, a new version of the implant described by Google will be installed onto the device. Volexity refers to this implant by the name INSOMNIA.

earth_empusa

"...contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised."

MITRE ATT&CK

INSOMNIA in ATT&CK

8 distinct techniques

Reporting

Research mentioning INSOMNIA

Apr 7
Comparitech

Heart South Cardiovascular Group warns 46,000+ people of data breach - Comparitech

Other recent data breaches resulting from ransomware attacks on healthcare providers include: Southern Illinois Dermatology reported a November 2025 data breach claimed by Insomnia

Apr 1
Mitre Attack Website

Data from Local System, Technique T1533 - Mobile | MITRE ATT&CK®

INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.

Apr 1
Mitre Attack Website

Data from Local System, Technique T1533 - Mobile | MITRE ATT&CK®

INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.

Apr 1
Mitre Attack Website

Data from Local System, Technique T1533 - Mobile | MITRE ATT&CK®

INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.

Mar 24
Facebook Security

Taking Action Against Hackers in China

"...contained malicious javascript code that resembled previously reported exploits, which installed iOS malware known as INSOMNIA on people’s devices once they were compromised."

Apr 21
Volexity

Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant

If the exploit is successful, a new version of the implant described by Google will be installed onto the device. Volexity refers to this implant by the name INSOMNIA.

Jan 18
Mitre Attack Website

Protected User Data: SMS Messages, Sub-technique T1636.004 - Mobile | MITRE ATT&CK®

INSOMNIA can retrieve SMS messages and iMessages.

Jan 18
Mitre Attack Website

System Information Discovery, Technique T1426 - Mobile | MITRE ATT&CK®

INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.