A recent analysis by cybersecurity experts has revealed a sophisticated new exploit kit capable of compromising Apple iPhones running iOS versions from 13.0 to 17.2.1. This toolkit, designated as Coruna by Google’s Threat Intelligence Group (GTIG), is notable for its extensive array of functionalities, boasting five complete exploit chains and 23 vulnerabilities specifically designed to infiltrate devices and extract sensitive financial information.
The Coruna exploit kit stands out as one of the most comprehensive collections of iOS-specific exploits discovered in the wild. GTIG researchers noted that many of the techniques employed within the toolkit leverage previously unseen methods of exploitation, along with effective mitigation bypasses. Initial observations of the exploit kit date back to early 2025, when it was first linked to a client of a commercial surveillance vendor. As 2025 progressed, investigators traced the tool’s application to highly targeted attacks primarily aimed at Ukrainian users, which were attributed to a suspected Russian espionage group known as UNC6353.
By late 2025, the Coruna exploit framework resurfaced in broader campaigns linked to another actor identified as UNC6691, believed to be financially motivated and operating from China. In this scenario, the exploits were disseminated through counterfeit financial and cryptocurrency websites, strategically designed to entice victims into accessing the pages using their iPhones. The malicious websites ingeniously injected a hidden frame that would silently deploy the exploit kit as soon as an iOS device accessed the compromised webpage. During this phase, researchers were able to recover hundreds of samples of the exploit toolkit.
GTIG detailed how the exploit chains specifically target a variety of Apple devices and systems, ingeniously combining multiple vulnerabilities to gain deeper and more impactful access into the operating system. The Coruna toolkit employs a highly engineered framework that starts by profiling a visitor’s device. This profiling process assesses the iPhone model and the corresponding iOS version, enabling the kit to select the most suitable exploit chain tailored to the conditions it detects.
Key characteristics inherent to the Coruna exploit kit include several innovative techniques:
-
Device Fingerprinting: This technique allows the exploit kit to accurately identify specific iPhone models and their operating software versions.
-
Automatic Selection of Vulnerabilities: The framework can automatically choose compatible WebKit vulnerabilities for exploitation based on the gathered device data.
-
Bypassing Apple Security Protections: The kit utilizes advanced techniques designed to circumvent Apple’s robust security measures, including pointer authentication.
- Custom Payload Delivery: Uniquely crafted encryption and compression methods are employed to efficiently deliver malicious payloads.
Additionally, researchers identified a binary loader known as PlasmaLoader, which executes the final stage of the attack following a successful browser exploit.
Once the exploit chain has been fully executed, this loader embeds itself within a system process on the device. Unlike conventional surveillance methods, the payload’s primary focus is on the theft of financial data. It adeptly scans stored images for QR codes and searches text files for cryptocurrency wallet recovery phrases or specific keywords such as "backup phrase" or "bank account." If any of this sensitive information is discovered, it is swiftly transmitted to servers controlled by the attackers.
In light of this discovery, Google has issued an important statement emphasizing that the Coruna exploit kit is ineffective against the most recent iOS versions. To enhance security, the company has added related malicious domains to its Safe Browsing feature, recommending that users promptly update their devices to the latest available software releases. For those unable to update, enabling Lockdown Mode is suggested as an additional layer of protection.
As the landscape of cybersecurity continues to evolve, the emergence of the Coruna exploit kit serves as a crucial reminder of the ongoing threats targeting mobile device users. Ensuring one’s device remains updated and secure stands paramount in mitigating the risks associated with such sophisticated exploit tactics.