ELEGANTBOUNCER is a detection tool for file-based mobile exploits.
It employs an innovative approach for advanced file-based threat identification, eliminating the need for in-the-wild samples and outperforming traditional methods based on regular expressions or IOCs. At present, it primarily targets the identification of mobile vulnerabilities such as FORCEDENTRY (CVE-2021-30860), BLASTPASS (CVE-2023-4863, CVE-2023-41064), and TRIANGULATION (CVE-2023-41990).
| Threat Name | CVEs | Supported |
|---|---|---|
| FORCEDENTRY | CVE-2021-30860 | ✅ |
| BLASTPASS | CVE-2023-4863, CVE-2023-41064 | ✅ |
| TRIANGULATION | CVE-2023-41990 | ✅ |
| CVE-2025-43300 | CVE-2025-43300 | ✅ |
The TUI mode provides real-time visualization of parallel scanning operations, showing all active worker threads simultaneously. Enable it with the --tui flag when scanning directories.
elegant-bouncer v0.2
ELEGANTBOUNCER Detection Tool
Detection tool for file-based mobile exploits.
A utility designed to detect the presence of known mobile APTs in commonly distributed files.
Usage: elegant-bouncer [OPTIONS] <Input path>
Arguments:
<Input path>
Path to the input file or folder
Options:
-v, --verbose
Print extra output while parsing
-s, --scan
Assess a given file or folder, checking for known vulnerabilities
-c, --create-forcedentry
Create a FORCEDENTRY-like PDF
-r, --recursive
Recursively scan subfolders
-m, --messaging
Scan messaging app databases for attachments (iOS backup format)
--ios-extract
Extract/reconstruct iOS backup to readable folder structure
-o, --output <OUTPUT>
Output directory for iOS backup extraction
-f, --force
Force overwrite of output directory if not empty
-e, --extensions <EXTENSIONS>
File extensions to scan (comma-separated, e.g., "pdf,webp,ttf")
Default: pdf,gif,webp,jpg,jpeg,png,tif,tiff,dng,ttf,otf
-h, --help
Print help information (use `-h` for a summary)
-V, --version
Print version information
Use --scan to assess a single file for known vulnerabilities:
elegantbouncer --scan suspicious_file.pdfScan all supported files in a directory:
elegantbouncer --scan /path/to/folderUse -r flag to recursively scan all subdirectories:
elegantbouncer --scan /path/to/folder -rSpecify which file types to scan using the -e flag:
# Scan only PDF and DNG files
elegantbouncer --scan /path/to/folder -e pdf,dng
# Scan only image files recursively
elegantbouncer --scan /path/to/folder -r -e jpg,jpeg,png,webp,gifBy default, the tool scans files with these extensions:
- Documents: pdf
- Images: gif, webp, jpg, jpeg, png, tif, tiff, dng
- Fonts: ttf, otf
When scanning a directory, the tool provides:
- Real-time progress updates
- Immediate threat detection notifications
- Summary table with all vulnerability types
- Detailed infected files table with:
- File path
- Threat name
- Associated CVE IDs
[+] Scanning directory: /path/to/documents
[+] Recursive mode enabled
[+] Extensions: pdf, gif, webp, jpg, jpeg, png, tif, tiff, dng, ttf, otf
[1] Scanning: /path/to/documents/invoice.pdf
[2] Scanning: /path/to/documents/photo.jpg
[3] Scanning: /path/to/documents/malicious.webp
└─ THREAT found: BLASTPASS
[4] Scanning: /path/to/documents/report.pdf
└─ THREAT found: FORCEDENTRY
[+] Scanned 4 files
[+] Summary Results:
╭────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────────────────┬──────────╮
│ name │ cve_ids │ description │ detected │
├────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────────────────┼──────────┤
│ FORCEDENTRY │ CVE-2021-30860 │ Malicious JBIG2 PDF shared over iMessage │ Yes │
│ BLASTPASS │ CVE-2023-4863, CVE-2023-41064 │ Malicious WebP presumably shared over iMessage and other mediums │ Yes │
│ TRIANGULATION │ CVE-2023-41990 │ Maliciously crafted TrueType font embedded in PDFs shared over iMessage │ No │
│ CVE-2025-43300 │ CVE-2025-43300 │ Malicious DNG with JPEG Lossless compression exploiting RawCamera.bundle │ No │
╰────────────────┴───────────────────────────────┴──────────────────────────────────────────────────────────────────────────┴──────────╯
[!] Infected Files Details:
╭────────────────────────────────┬─────────────┬───────────────────────────────╮
│ path │ threat_name │ cve_ids │
├────────────────────────────────┼─────────────┼───────────────────────────────┤
│ /path/to/documents/report.pdf │ FORCEDENTRY │ CVE-2021-30860 │
│ /path/to/documents/malicious.webp │ BLASTPASS │ CVE-2023-4863, CVE-2023-41064 │
╰────────────────────────────────┴─────────────┴───────────────────────────────╯
Reconstruct an iOS backup to its readable folder structure:
# Extract backup to default location (creates _reconstructed folder)
elegantbouncer --ios-extract /path/to/ios/backup
# Extract to specific output directory
elegantbouncer --ios-extract /path/to/ios/backup -o /path/to/output
# Force overwrite if output directory exists
elegantbouncer --ios-extract /path/to/ios/backup -o /path/to/output --forceScan iOS backup for malicious attachments in messaging apps:
# Scan messaging databases (iMessage, WhatsApp, Viber, Signal, Telegram)
elegantbouncer --scan --messaging /path/to/ios/backup
# Combine with extraction for complete analysis
elegantbouncer --ios-extract /path/to/ios/backup -o /tmp/extracted
elegantbouncer --scan --messaging /tmp/extractedThis feature detects threats in attachments from:
- iMessage - SMS/MMS database attachments
- WhatsApp - Media files from chats
- Viber - Shared files and media
- Signal - Attachments folder (database is encrypted)
- Telegram - Cached media files
Use --create-forcedentry to generate a PDF from the ground up designed to exploit CVE-2021-30860. Work in progress.
Note: Pre-made samples can be found in the samples/ directory.
Use Lockdown Mode to decrease your attack surface if you think you are a person of interest.
- Hamid K. (@Hamid-K) for the original implementation of messaging app scanning and iOS backup reconstruction
- Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky
- Apple Security Engineering and Architecture (SEAR)
- Bill Marczack
- Jeff for helping me understand FORCEDENTRY
- Valentina for suggesting this target
- Ian Beer and Samuel Groß of Google Project Zero for their amazing write-up on the sample shared by Citizen Lab with them.
- @mistymntncop for our exchanges and his work on CVE-2023-4863
- Ben Hawkes
- Detecting CVE-2025-43300: A Deep Dive into Apple's DNG Processing Vulnerability
- Researching Triangulation: Detecting CVE-2023-41990 with single byte signatures.
- Researching FORCEDENTRY: Detecting the Exploit With No Samples
- Researching BLASTPASS: Detecting the exploit inside a WebP file - Part 1
- Researching BLASTPASS: Analysing the Apple & Google WebP POC file - Part 2