alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Coruna User-Agent (Outbound)"; flow:established,to_server; http.user_agent; bsize:135; content:"Mozilla|2f|5|2e|0|20 28|iPhone|3b 20|CPU|20|iPhone|20|OS|20|16|5f|0|20|like|20|Mac|20|OS|20|X|29 20|AppleWebKit|2f|605|2e|1|2e|15|20 28|KHTML|2c 20|like|20|Gecko|29 20|Version|2f|16|2e|0|20|Mobile|2f|15E148|20|Safari|2f|604|2e|1"; reference:url,cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/; reference:url,iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking; classtype:command-and-control; sid:2068009; rev:1; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2026_03_04, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Exploit_Kit, tag c2, updated_at 2026_03_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)