Ethical Hacking News
A previously undocumented set of 23 iOS exploits named "Coruna" has been deployed by multiple threat actors in targeted espionage campaigns and financially motivated attacks. The Coruna kit contains five full iOS exploit chains leveraging non-public techniques and mitigation bypasses for iOS versions 13.0 through 17.2.1 (released in December 2023). Researchers from Google Threat Intelligence Group observed activity related to the Coruna exploit kit in February 2025, when they obtained a JavaScript delivery framework along with an exploit for CVE-2024-23222, a WebKit vulnerability that enables remote code execution on iOS 17.2.1.
The Coruna iOS exploit kit has been observed in use by multiple threat actors in targeted espionage campaigns and financially motivated attacks. The kit contains five full iOS exploit chains, leveraging non-public techniques and mitigation bypasses for iOS versions 13.0 through 17.2.1. The Coruna kit was first attributed to a surveillance vendor customer in February 2025, but later observed in financially motivated attacks targeting cryptocurrency users. The exploit kit has been used by various threat actors with different motivations, including suspected Russian cyberspies and a Chinese threat actor. The malware delivered after a Coruna exploit chain is a stager loader called PlasmaLoader, which targets cryptocurrency wallet apps. Google attributes the Coruna exploit kit to financially motivated Chinese threat actor UNC6691, but notes that the implant does not have spyware capabilities. The proliferation of the Coruna exploit kit suggests an active market for 'second-hand' zero-day exploits. iVerify states that Coruna is one of the clearest examples to date of sophisticated spyware-grade capabilities migrating from commercial surveillance vendors to nation-state actors and mass-scale criminal operations.
Spyware-grade Coruna iOS exploit kit has recently been observed in use by multiple threat actors in targeted espionage campaigns and financially motivated attacks. The Coruna kit contains five full iOS exploit chains, leveraging non-public techniques and mitigation bypasses for iOS versions 13.0 through 17.2.1 (released in December 2023).
The Coruna kit was first observed in February 2025 by researchers from the Google Threat Intelligence Group (GTIG), who attributed its activity to a surveillance vendor customer. At that time, researchers obtained a JavaScript delivery framework along with an exploit for CVE-2024-23222, a WebKit vulnerability that enables remote code execution on iOS 17.2.1. Apple had addressed the flaw in iOS 17.3 on January 22, 2024, after it was exploited in zero-day attacks.
However, the same obfuscated framework was observed again in summer when suspected Russian cyberspies tracked as UNC6353 deployed it in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites for ecommerce, industrial equipment and retail tools, and local services. This suggests that the Coruna exploit kit has been used by various threat actors with different motivations.
In late 2025, the exploit kit appeared on various fake Chinese gambling and crypto websites. Google attributes this activity to the financially motivated Chinese threat actor UNC6691. The malware delivered after a Coruna exploit chain was a stager loader called PlasmaLoader, which is injected into the 'powerd' iOS root daemon.
However, the malware does not have capabilities consistent with a spyware operation. It downloads from a command-and-control (C2) server additional modules that target cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The targeted data includes wallet recovery phrases (BIP39), sensitive text strings such as "backup phrase" and "bank account," and data stored in Apple Memos.
The stolen data is encrypted with AES prior to exfiltration and sent to hardcoded C2 addresses. For takedown resilience, the implant also includes a domain generation algorithm (DGA) seeded with the string "lazarus" that produces .xyz domains. GTIG researchers could not determine how the Coruna exploit kit moved from serving spyware campaigns linked to a surveillance vendor to financially motivated malicious activities aimed at cryptocurrency users.
"This proliferation occurred is unclear, but suggests an active market for 'second-hand' zero-day exploits," GTIG notes in the report. Surveillance vendors keep exploit kits like Coruna under strict limited access and use them in products for government customers running highly targeted operations. Apple has always claimed that such security issues were leveraged in limited attacks aimed at high-value individuals.
Mobile security company iVerify says that Coruna is one of the clearest examples to date of sophisticated spyware-grade capabilities that migrated from commercial surveillance vendors into the hands of nation-state actors and, ultimately, mass-scale criminal operations. This reinforces iVerify’s long-standing belief that the mobile threat landscape is evolving rapidly, "and the tools once reserved for targeting heads of state are now being deployed against ordinary iPhone users."
The Coruna exploit kit deployment timelineSource: Google
Coruna exploit kit capabilitiesAfter obtaining the complete exploit kit in late 2025, GTIG analysts found that it included five full exploit chains using a set of 23 exploits, including WebKit remote code execution, Pointer Authentication Code (PAC) bypasses, sandbox escapes, kernel privilege escalation, and PPL (Page Protection Layer) bypasses.
"The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses," GTIG researchers say. Some of the exploits reuse vulnerabilities first identified during Operation Triangulation, which was uncovered in June 2023 by Kaspersky after the cybersecurity firm discovered that several iPhones on its network had been compromised.
The company later discovered that the exploits abused undocumented hardware features in Apple's devices. Coruna fingerprints the device and OS version, and then selects the appropriate exploit chain to execute. If the Lockdown Mode anti-spyware protection feature or private browsing is active on the device, the framework stops.
Dropping PlasmaGridGTIG's analysis found that one of the final payloads delivered after a Coruna exploit chain was a stager loader called PlasmaLoader, which the researchers track as PlasmaGrid, that is injected into the 'powerd' iOS root daemon. However, the malware does not have capabilities consistent with a spyware operation.
It downloads from a command-and-control (C2) server additional modules that target cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The targeted data includes wallet recovery phrases (BIP39), sensitive text strings such as "backup phrase" and "bank account," and data stored in Apple Memos.
The stolen data is encrypted with AES prior to exfiltration and sent to hardcoded C2 addresses. For takedown resilience, the implant also includes a domain generation algorithm (DGA) seeded with the string "lazarus" that produces .xyz domains.
Google has added to Safe Browsing all websites and domains identified while analyzing the Coruna exploit kit, and recommends iOS users to upgrade to the latest version. If updating is not possible, the advice is to enable Lockdown Mode.
Apart from the vulnerabilities included in the Corona exploit kit and their codenames, GTIG's report also includes indicators of compromise for the implant and modules delivered via the cryptocurrency-related websites, and attack infrastructure.
Related Information:
https://www.ethicalhackingnews.com/articles/Coruna-iOS-Exploit-Kit-A-Sophisticated-Spyware-Grade-Attack-Vector-Used-in-Crypto-Theft-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/spyware-grade-coruna-ios-exploit-kit-now-used-in-crypto-theft-attacks/
https://www.techspot.com/news/111554-leaked-government-grade-iphone-hacking-tools-now-used.html
https://cybernews.com/security/hackers-abusing-government-grade-iphone-exploit-kit/
Published: Wed Mar 4 13:41:14 2026 by llama3.2 3B Q4_K_M
