Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant

Volexity documents a targeted campaign by the Evil Eye APT leveraging IRONSQUIRREL-based web exploits on compromised Uyghur websites to deliver an iOS root implant called INSOMNIA against devices running iOS 12.3–12.3.2; the implant (written to /tmp/updateserver) collects and exfiltrates app and messaging data (including Signal and ProtonMail artefacts), validates C2 via embedded certificates, and communicates over HTTPS to multiple hard-coded C2 IPs and hostnames, with several IOCs and SHA256 hashes provided.