Coruna Exploit Kit Targets Older iPhones in Multi-Stage Attack

Cybersecurity experts have identified a highly advanced exploit framework, now known as the Coruna toolkit, which poses a significant threat to iPhones running older versions of iOS. This sophisticated collection of exploits specifically targets devices using software from iOS 13.0 through 17.2.1, employing a multi-stage process to infiltrate phones and steal sensitive financial information. The discovery by Google’s Threat Intelligence Group reveals a toolkit containing five complete exploit chains and leverages twenty-three distinct vulnerabilities, marking it as one of the most extensive sets of iOS exploits ever seen in active use.

The toolkit first emerged in early 2025, initially connected to a client of a commercial surveillance provider. Its use later expanded, with investigators tracing it to highly focused attacks against individuals in Ukraine. These operations were linked to a suspected Russian cyber-espionage unit identified as UNC6353. By the latter part of 2025, the same exploit framework was deployed in wider campaigns by a different group, a financially motivated actor from China tracked as UNC6691. This group distributed the exploits through deceptive websites mimicking legitimate financial and cryptocurrency platforms, tricking users into visiting these pages with their iPhones.

These fraudulent sites contained a hidden frame that would silently deliver the exploit kit as soon as an iOS device loaded the page. During this investigation phase, researchers collected hundreds of samples of the malicious toolkit. The framework is meticulously engineered, beginning with a device profiling step. It analyzes the visitor’s iPhone to determine the exact model and iOS version, then automatically selects the most suitable exploit chain from its arsenal. This approach allows it to target a broad spectrum of Apple devices and system versions, chaining multiple vulnerabilities together to achieve deeper access into the device’s operating system.

Key characteristics of the Coruna exploit kit include advanced device fingerprinting to identify specific iPhone models and software versions, the automatic selection of compatible WebKit vulnerabilities, and techniques crafted to bypass Apple’s built-in security protections like pointer authentication. The toolkit also uses custom encryption and compression methods to deliver its payloads discreetly. Following a successful browser exploit, a specialized binary loader is deployed to execute the final stage of the attack.

Once the exploit chain runs its course, a loader called PlasmaLoader installs itself within a system process on the compromised device. Unlike many surveillance tools, this payload is narrowly focused on financial data theft. It actively scans the device’s stored images for QR codes and combs through text files searching for cryptocurrency wallet recovery phrases or keywords such as “bank account” or “backup phrase.” Any discovered information is then exfiltrated to servers controlled by the attackers.

Google has confirmed that the exploit kit is not effective against the most recent iOS versions. The company has proactively added associated malicious domains to its Safe Browsing service to help protect users. The primary recommendation for all iPhone users is to update their devices to the newest available software release immediately. For devices where an immediate update is not possible, enabling Lockdown Mode provides an additional layer of security against such sophisticated threats.

(Source: InfoSecurity Magazine)