A previously undocumented iOS exploit kit called Coruna has moved beyond targeted espionage and into cryptocurrency theft, with researchers at Google Threat Intelligence Group (GTIG) documenting its deployment by multiple distinct threat actors across more than a year of activity.
The kit contains 23 individual exploits bundled into five full exploit chains, covering iOS versions 13.0 through 17.2.1. Its most advanced chains use non-public techniques and mitigation bypasses, with documentation written in native English, suggesting a well-resourced development team.
How Coruna Works
Coruna fingerprints the target device and OS version before selecting the appropriate exploit chain. If the device has Lockdown Mode or private browsing enabled, the framework stops entirely. The capabilities span WebKit remote code execution, Pointer Authentication Code (PAC) bypasses, sandbox escapes, kernel privilege escalation, and Page Protection Layer (PPL) bypasses.
Some exploits reuse vulnerabilities first identified during Operation Triangulation, the espionage campaign uncovered by Kaspersky in June 2023 that abused undocumented hardware features inside Apple devices.
The initial JavaScript delivery framework was paired with an exploit for CVE-2024-23222, a WebKit vulnerability enabling remote code execution on iOS 17.2.1. Apple patched the flaw in iOS 17.3 on January 22, 2024.
Three Distinct Waves of Deployment
GTIG first observed Coruna in February 2025, in activity linked to a surveillance vendor customer. That summer, suspected Russian cyberspies tracked as UNC6353 deployed the same obfuscated framework in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites covering e-commerce, industrial equipment, retail tools, and local services.
More Read
By late 2025, the kit appeared on fake Chinese gambling and cryptocurrency websites. GTIG attributes that wave to UNC6691, a financially motivated Chinese threat actor.
PlasmaGrid and Crypto Wallet Targeting
After a successful exploit chain, Coruna delivers a stager loader GTIG calls PlasmaGrid, injected into the powerd iOS root daemon. Unlike the earlier spyware deployments, this payload is built for financial theft. It downloads modules that specifically target cryptocurrency wallet applications including MetaMask, Phantom, Exodus, BitKeep, and Uniswap.
The stolen data includes wallet recovery phrases (BIP39), text strings such as “backup phrase” and “bank account,” and data stored in Apple Memos. All exfiltrated data is encrypted with AES before transmission to hardcoded command-and-control addresses.
For resilience against takedowns, PlasmaGrid includes a domain generation algorithm seeded with the string “lazarus” that produces .xyz domains as fallback infrastructure.
A Market for Second-Hand Zero-Days
GTIG could not establish exactly how Coruna migrated from a tightly controlled surveillance product to a tool in financially motivated attacks. “How this proliferation occurred is unclear, but suggests an active market for ‘second-hand’ zero-day exploits,” the researchers noted.
Surveillance vendors typically restrict access to exploit kits like Coruna, supplying them only to government customers for narrow, high-value operations. Apple has consistently maintained that such exploits target a limited set of individuals. The Coruna case complicates that framing: a kit built for state-grade espionage is now draining crypto wallets at scale.
Mobile security firm iVerify described Coruna as one of the clearest examples to date of sophisticated spyware-grade tooling crossing over into commercial cybercrime.
Photo by Zulfugar Karimov on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
