A powerful iOS exploit kit named “Coruna” has transitioned from elite surveillance operations to financially motivated cryptocurrency theft, signaling a dangerous shift in the mobile threat landscape.
From Spyware Vendor to Cybercriminal Hands
Google Threat Intelligence Group (GTIG) has disclosed details on a previously undocumented iOS exploit kit containing 23 exploits and five full exploit chains targeting iOS versions 13.0 through 17.2.1.
GTIG first observed Coruna in February 2025 when it was being used by a surveillance vendor customer in highly targeted operations. By summer, Russian-attributed threat actor UNC6353 deployed it in watering hole attacks against Ukrainian users visiting compromised ecommerce and local services websites.
By late 2025, the exploit kit appeared on fake Chinese gambling and cryptocurrency websites operated by financially motivated threat actor UNC6691—demonstrating the rapid proliferation of what was once reserved for nation-state espionage.
Technical Sophistication
The Coruna kit demonstrates exceptional technical capabilities:
- WebKit remote code execution exploits
- Pointer Authentication Code (PAC) bypasses
- Sandbox escapes
- Kernel privilege escalation
- PPL (Page Protection Layer) bypasses
GTIG notes that “the exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses.”
Notably, some exploits reuse vulnerabilities first identified during Kaspersky’s 2023 Operation Triangulation investigation, which exposed undocumented hardware features being exploited in Apple devices.
Crypto-Targeting Payload
The financially motivated campaign delivers PlasmaGrid—a stager loader injected into the iOS ‘powerd’ root daemon. Rather than traditional spyware capabilities, PlasmaGrid downloads modules specifically targeting cryptocurrency wallets:
- MetaMask
- Phantom
- Exodus
- BitKeep
- Uniswap
The malware harvests wallet recovery phrases (BIP39), sensitive strings like “backup phrase” and “bank account,” and data from Apple Memos. Stolen information is AES-encrypted before exfiltration to hardcoded C2 addresses.
For takedown resilience, the implant includes a domain generation algorithm (DGA) seeded with the string “lazarus” that produces .xyz domains.
Evasion Techniques
The exploit framework fingerprints the device and OS version to select the appropriate exploit chain. Importantly, if Lockdown Mode or private browsing is active, the framework aborts—making Apple’s anti-spyware protection effective against this threat.
Why It Matters
Mobile security firm iVerify describes Coruna as “one of the clearest examples to date” of sophisticated spyware-grade capabilities migrating from commercial surveillance vendors to nation-state actors and ultimately to mass-scale criminal operations.
This reinforces that tools once reserved for targeting heads of state are now being deployed against ordinary iPhone users. The “second-hand” market for zero-day exploits appears active and profitable.
Defensive Recommendations
- Update iOS devices to the latest version immediately
- Enable Lockdown Mode if updating is not possible
- Be cautious of gambling and cryptocurrency-related websites
- Use hardware wallets for significant cryptocurrency holdings
- Never enter recovery phrases on mobile devices
Google has added all identified domains and websites to Safe Browsing. Full indicators of compromise are available in GTIG’s report.
Source: BleepingComputer
