alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Coruna Loader Page"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,>=,45000,0,string,dec; http.response_body; content:"|3c|script|20|type|3d 22|text|2f|javascript|22 3e|"; content:".toString(16).toLowerCase()"; distance:0; content:".reduce"; distance:0; content:"|22 25|u|22|"; distance:0; content:"|22 25|u|22|"; distance:0; content:"unescape"; distance:0; content:"window.globalThis"; distance:0; fast_pattern; content:"window|3b|"; within:12; content:"new Function("; distance:0; reference:url,iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking; classtype:trojan-activity; sid:2068085; rev:1; metadata:affected_product iOS, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_03_09, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit, tag iOS, tag Coruna, updated_at 2026_03_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)