Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware. Then log review.
What are examples of logs that you're considering IOCs? The picture you are painting is basically that most everyone is already compromised most of the time, which is ... hard to swallow.
By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.
Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.
How did you determine that a connection was malicious? Modern apps are noisy with all of the telemetry and ad traffic, and that includes a fair amount of background activity. If all you’re seeing are connections to AWS, GCP, etc. it’s highly unlikely that it’s a compromise.
Similarly, when you talk about it going away after a reset that seems more like normal app activity stopping until you restart the app.
That doesn’t have any details supporting the belief that this traffic was malicious or a sign of compromise. I’d easily believe that it’s picking up developer telemetry or ad networks but without some hard evidence this sounds like misinterpretation rather than a compromise.
Traffic was monitored on a physical ethernet cable via USB ethernet adapter to iOS device.
Charles Proxy was only used to time-associate manual application launch with attempts to reach destination hostnames and ports, to allowlist those on the separate physical router. If there was an open question about an app being a potential source of unexpected packets, the app was offloaded (data stayed on device, but app cannot be started).
MDM was not used to redirect DNS, only toggling features off in Apple Configurator.
Surely you used several USB Ethernet adapters to rule them out as being the source as well right? Those types of dongles are well known for calling home.
So how did you identify this as a breach? I'm struggling to find this credible, and you've yet to provide specifics.
Right now it comes across as "just enough knowledge to be dangerous"-levels, meaning: you've seen things, don't understand those things, and draw an unfounded conclusion.
Feel free to provide specifics, like log entry lines, that show this breach.
Please feel free to ignore this sub-thread. I'm merely happy that Apple finally shipped an iPad that would last (for me! no claims about anyone else!) more than a few weeks without falling over.
To learn iOS forensics, try Corellium iPhone emulated VMs that are available to security researchers, the open-source QEMU emulation of iPhone 11 [1] where iOS behavior can be observed directly, paid training [2] on iOS forensics, or enter keywords from that course outline into web search/LLM for a crash course.
I worked at Corellium tracking sophisticated threats. Nothing you’ve posted is indicative of a compromise. If you’re convinced I’d be happy to go through your IOCs and try to explain them to you.
There’s no hard evidence that you’ve put forward that you’ve been breached.
Not understanding every bit of traffic from your device with hundreds of services and dozens of apps running is not evidence of a breach.
Have you found unsigned/unauthorized software? Have you traced traffic to a known malware collection endpoint? Have you recovered artifacts from malware?
Strong claims require strong evidence imo and this isn’t it.
As mentioned elsewhere in this thread, traffic from each iOS app was traced via Charles Proxy, the endpoints allowlisted for normal behavior, and finally the app was offloaded so it could not generate any traffic from the device. Over time, this provided a baseline of known outbound traffic from the device, e.g. after provisioning a new device with a small number of trusted apps.
I agree with other posters that you seem to be capable of network level forensics, but you have said nothing to back up what you consider a device breach other than 'some cloud destined network traffic which disapears after a hard reset'.
In my experience of forensic reports, this link is tenuous at best and would not be considered evidence or even suspected breach based on that alone.