Social engineering acquisition fraud targeting the maintainer of art-template (~33,600 weekly npm downloads). Malaysian company front (KILLER WHAL AI SDN BHD) tricked original author into transferring npm and GitHub ownership. Three phases over 16 months: Phase 1 (Mar 2025) testing with obfuscated injection, Phase 2 (May 2026) Coruna iOS exploit kit delivery via hijacked JiaThis domain, Phase 3 (Jun 2026) pivot to Chinese gambling/adult content traffic hijacking with Beijing timezone gating. Google TAG attributes Coruna usage to UNC6691 (Chinese, financially motivated).
Objective
Traffic monetization via iOS exploitation (PLASMAGRID cryptocurrency wallet implant) and gambling/adult content redirect injection
Packages
Indicators
- domain utaq.cfww.shopcommunicates-with
- domain git.youzzjizz.comcommunicates-with
- ipv4 180.178.50.158communicates-with
- ipv4 172.67.141.14communicates-with
- ipv4 104.21.40.254communicates-with
- sha256 273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868dindicates
- sha256 5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7dindicates
- sha256 101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77indicates
- sha256 d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512findicates
- sha256 f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5cindicates
- sha1 57620206d62079baad0e57e6d9ec93120c0f5247indicates
- sha1 14669ca3b1519ba2a8f40be287f646d4d7593eb0indicates
- domain v3.jiathis.comcommunicates-with
- domain test.airsplu.cncommunicates-with
- domain s5gw.mki.momcommunicates-with
- domain s5dh.clubcommunicates-with
- domain l1ewsu3yjkqeroy.xyzcommunicates-with
- sha256 e27a0e28da18a7978dd0139bccf48ec5c39454fda6384c95fc0fb004b3b502a2indicates
- sha256 7c59001d7bdd0dfb04b89d2de3d71b18975b20f22b2af880911413fb29cfdff0indicates
- url https://v3.jiathis.com/code/art.jscommunicates-with
- url https://v3.jiathis.com/code/jia.jscommunicates-with
- email [email protected]indicates
- email [email protected]indicates
- email [email protected]indicates
- email [email protected]indicates
- email [email protected]indicates
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1203 Exploitation for Client Executionuses
- ttp T1583.001 Acquire Infrastructure: Domainsuses
- ttp T1608.004 Stage Capabilities: Drive-By Targetuses
- ttp T1199 Trusted Relationshipuses
- ttp Social Engineering Acquisition Frauduses