pull down to refresh

but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage.
do we know what web page it was forwarding to?
You mean the domain name/ip? I don't know if that's been disclosed. On the next line it indicates the web page mostly just loads some javascript to perform another exploit.
reply