S0463: INSOMNIA
Analyst context for executives and security teams
INSOMNIA is an iOS spyware entry in ATT&CK, documented as used by Evil Eye. Its mapped behaviors matter because they point to mobile compromise that can move beyond ordinary app abuse: privilege escalation, device and network discovery, location tracking, collection of local data and iOS keychain material, and command-and-control over web protocols or non-standard ports. For leaders, the decision value is whether high-risk mobile users and managed iOS devices have enough patching, mobile telemetry, network visibility, and incident response process to prove or disprove compromise.
Executive priority
Treat this as a mobile resilience and executive-risk use case, not just a malware label. The relationships indicate risks to credentials, sensitive communications, location privacy, and device trust. Priority questions: Are iOS devices patched quickly enough to reduce exploit-driven privilege escalation risk? Can the organization investigate a suspected mobile spyware case without relying only on user reports? Are high-risk personnel, travel devices, and privileged users covered by MDM/UEM policy, network logging, and mobile IR procedures? Compliance and audit evidence should emphasize patch status, device inventory, managed configuration, and documented response handling for mobile data exposure.
Technical view
ATT&CK does not provide a detection section for INSOMNIA, so SOC and IR teams should validate coverage against the related behaviors rather than a single signature. The object is iOS-specific and uses relationships including Exploitation for Privilege Escalation, Drive-By Compromise, Obfuscated Files or Information, Software Discovery, System/Internet/Wi-Fi Network Configuration Discovery, System Information Discovery, Location Tracking, Web Protocols, Non-Standard Port, Data from Local System, Ptrace System Calls, Keychain, Call Log, Contact List, and SMS Messages. Practical validation should focus on whether managed iOS devices expose enough telemetry to detect exploit aftermath, suspicious application or process behavior, unusual web egress, non-standard protocol/port pairings, and access to sensitive local data where collection is technically available.
Likely telemetry
- MDM/UEM inventory: iOS version, patch level, device compliance, jailbreak/root indicators where available, installed applications, and configuration posture.
- Mobile security or EDR telemetry, if deployed: suspicious process behavior, exploit indicators, code injection or ptrace-like activity, and abnormal access to protected data stores.
- Network telemetry: DNS, proxy, firewall, TLS metadata, mobile gateway logs, unusual web-protocol traffic, and protocol/port mismatches related to non-standard ports.
- Web access telemetry for drive-by exposure analysis: browsing history or secure web gateway logs where policy and privacy rules permit.
- Device forensic artifacts during IR: application lists, system information, network configuration, local file access evidence, keychain access indicators, and traces of contact, SMS, call log, or location access where available.
Detection direction
- Because MITRE supplies no official detection guidance, build behavior-based checks from the mapped techniques and clearly document expected visibility gaps on iOS.
- Correlate high-risk events: recent iOS exploit exposure or suspicious browsing, unexpected device privilege changes, anomalous mobile network egress, and access to sensitive local data sources.
- Tune network detections for web protocols and non-standard ports, but account for normal mobile application traffic to reduce false positives.
- Validate whether app inventory and software discovery-like behavior can be observed in the organization’s tooling; many environments cannot see detailed on-device enumeration.
- Use relationship context to prioritize triage: keychain, SMS, contacts, call logs, location, and local system data imply potential privacy, credential, and business-sensitive data exposure.
Mitigation priorities
- Prioritize timely iOS updates and managed device compliance because the mapped behavior includes exploitation for privilege escalation and drive-by compromise.
- Use MDM/UEM policy to enforce supported OS versions, restrict unmanaged profiles where possible, maintain app inventory, and identify non-compliant or jailbroken devices where telemetry supports it.
- Reduce exposure for high-risk users through managed browsing guidance, security awareness for suspicious links, and travel or executive-device hardening procedures.
- Limit sensitive data persistence on mobile devices where business process allows, especially credentials and high-value communications.
- Monitor and control mobile egress with privacy-aware network logging, focusing on unusual web-protocol usage and non-standard ports.
Analyst notes and limits
This take is based only on the supplied ATT&CK STIX fields, external references, and relationships. INSOMNIA is identified as iOS spyware and documented by ATT&CK as used by Evil Eye, with Volexity as the cited external source. The strongest defensive value comes from the relationship set, which frames what defenders should validate across mobile exploit prevention, discovery, collection, credential exposure, location privacy, and network command-and-control visibility.
ATT&CK provides no official detection text, tactics are not specified in the supplied object, and no indicators of compromise, affected versions, exploit details, infrastructure, or current activity claims are included here. Local conclusions require organization-specific mobile telemetry, MDM/UEM coverage, network logs, forensic access, privacy constraints, and knowledge of which users or devices are in scope.
INSOMNIA
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1426 | System Information Discovery | INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.CitationGoogle Project Zero Insomnia |
| Mobile | T1404 | Exploitation for Privilege Escalation | INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.CitationVolexity Insomnia |
| Mobile | T1430 | Location Tracking | INSOMNIA can track the device’s location.CitationGoogle Project Zero Insomnia |
| Mobile | T1631.001 | Ptrace System Calls Sub-technique | INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache.CitationGoogle Project Zero Insomnia |
| Mobile | T1406 | Obfuscated Files or Information | INSOMNIA obfuscates various pieces of information within the application.CitationVolexity Insomnia |
| Mobile | T1636.004 | SMS Messages Sub-technique | INSOMNIA can retrieve SMS messages and iMessages.CitationGoogle Project Zero Insomnia |
| Mobile | T1422 | System Network Configuration Discovery | INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).CitationGoogle Project Zero Insomnia |
| Mobile | T1418 | Software Discovery | INSOMNIA can obtain a list of installed non-Apple applications.CitationGoogle Project Zero Insomnia |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).CitationGoogle Project Zero Insomnia |
| Mobile | T1509 | Non-Standard Port | INSOMNIA has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.CitationVolexity Insomnia |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).CitationGoogle Project Zero Insomnia |
| Mobile | T1636.003 | Contact List Sub-technique | INSOMNIA can collect the device’s contact list.CitationGoogle Project Zero Insomnia |
| Mobile | T1636.002 | Call Log Sub-technique | INSOMNIA can retrieve the call history.CitationGoogle Project Zero Insomnia |
| Mobile | T1437.001 | Web Protocols Sub-technique | INSOMNIA communicates with the C2 server using HTTPS requests.CitationVolexity Insomnia |
| Mobile | T1533 | Data from Local System | INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.CitationGoogle Project Zero Insomnia |
| Mobile | T1634.001 | Keychain Sub-technique | INSOMNIA can extract the device’s keychain.CitationGoogle Project Zero Insomnia |
| Mobile | T1456 | Drive-By Compromise | INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.CitationVolexity Insomnia |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a654303c17e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Volexity Insomnia
A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
Open source URL -
[2]
mitre-attack S0463Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.