alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Coruna Stage 3 Implant Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/details/sms.js"; fast_pattern; endswith; http.host; bsize:19; content:".xyz"; endswith; reference:url,iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking; reference:url,cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit; classtype:exploit-kit; sid:2068162; rev:1; metadata:affected_product Cisco_IOS, attack_target Client_Endpoint, created_at 2026_03_11, deployment Perimeter, confidence Medium, signature_severity Major, tag iOS, tag Exploit, tag Coruna, updated_at 2026_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)