Security researchers have uncovered a previously undocumented iOS exploit toolkit called Coruna that has been used by multiple threat actors in espionage operations and financially motivated cyberattacks.
The exploit kit contains 23 different exploits organized into five complete exploit chains targeting iOS versions 13.0 through 17.2.1, which Apple released in December 2023. Some of the exploits are highly sophisticated and rely on techniques and security bypass methods that were not publicly known.
Researchers from Google Threat Intelligence Group first observed activity linked to the Coruna exploit kit in February 2025. At that time, the toolkit appeared to be used by a customer of a commercial surveillance vendor. Investigators recovered part of the attack infrastructure, including a JavaScript delivery framework and an exploit targeting CVE-2024-23222, a WebKit vulnerability that allowed remote code execution on iPhones running iOS 17.2.1.
Apple had already fixed this flaw in iOS 17.3, released on January 22, 2024, after discovering that it was being exploited in zero-day attacks.
Later in the summer of 2025, the same delivery framework appeared again in watering hole attacks carried out by suspected Russian cyber spies tracked as UNC6353. In those attacks, hackers compromised Ukrainian websites related to e-commerce, industrial equipment, retail tools, and local services. When iPhone users visited these infected sites, the exploit kit attempted to attack their devices.
By the end of 2025, the Coruna toolkit had also been found on fake Chinese gambling and cryptocurrency websites. Google researchers attribute that campaign to a financially motivated Chinese threat actor tracked as UNC6691.
After obtaining the full exploit kit in late 2025, Google analysts discovered that Coruna includes multiple advanced exploitation components. These include WebKit remote code execution exploits, Pointer Authentication Code bypasses, sandbox escape techniques, kernel privilege escalation exploits, and bypasses for Apple’s Page Protection Layer security feature.
The researchers noted that the code includes extensive documentation written in fluent English, with comments and explanations that suggest it was created by experienced exploit developers. Some of the vulnerabilities used in Coruna were previously identified during Operation Triangulation, a sophisticated iPhone espionage campaign discovered by Kaspersky in 2023 that relied on undocumented hardware features in Apple devices.
Coruna also performs fingerprinting on the target device to determine the exact iOS version and configuration before selecting the most appropriate exploit chain. If Apple’s Lockdown Mode security feature is enabled or if the device is using private browsing mode, the exploit framework stops the attack.
Once an exploit chain succeeds, the attackers deploy a loader component known as PlasmaLoader, tracked by researchers as PlasmaGrid. This loader is injected into the powerd root daemon on iOS devices.
Unlike traditional spyware, the malware focuses primarily on stealing cryptocurrency related data. It downloads additional modules from command and control servers that specifically target popular crypto wallet applications, including MetaMask, Phantom, Exodus, BitKeep, and Uniswap.
The attackers delivered the exploit kit through fake financial and cryptocurrency-themed websites. Visitors were often encouraged to open the pages using iPhones, allowing the exploit kit to attempt infection.
The malware searches for sensitive information such as wallet recovery phrases, also known as BIP39 seed phrases, along with other sensitive text strings like “backup phrase” and “bank account.” It also attempts to collect information stored in Apple Notes.
Any stolen data is encrypted using AES encryption before being sent to attacker-controlled servers. To make the infrastructure more resilient, the malware also includes a domain generation algorithm that creates .xyz domains based on the seed word “lazarus.”
Researchers were unable to determine exactly how the Coruna exploit kit moved from surveillance operations to financially motivated cybercrime. However, Google believes the case suggests an emerging market where second-hand zero-day exploits are sold or reused by different threat actors.
Commercial surveillance vendors typically restrict access to their exploit tools and sell them to government clients for targeted intelligence operations. Apple has previously stated that such attacks are usually aimed at a small number of high-value individuals.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
However, mobile security company iVerify warns that Coruna represents a clear example of advanced spyware-level technology spreading beyond government surveillance. According to the company, tools once used to target high-profile political figures are now increasingly being used against regular iPhone users.
Google has added the malicious websites associated with the Coruna exploit kit to its Safe Browsing system and recommends that iPhone users install the latest iOS updates. For devices that cannot be updated, enabling Lockdown Mode is advised to reduce the risk of exploitation.
