iOS Spyware ‘Coruna’ Powers Financial Crime Wave

A sophisticated and dangerous exploit kit targeting Apple’s iOS has been linked to a recent surge in financial crimes. Known as ‘Coruna’, this powerful toolkit contains multiple exploit chains capable of compromising iPhones through seemingly ordinary web browsing. Security experts from Google’s Threat Intelligence Group have traced its evolution from a commercial surveillance tool to a weapon used in state-sponsored espionage, and now, to a primary instrument for financially motivated hackers stealing cryptocurrency and sensitive data.

The kit incorporates five complete iOS exploit chains and a total of 23 individual exploits. These leverage a mix of publicly documented vulnerabilities and previously unknown flaws, many targeting the WebKit browser engine to achieve remote code execution and escape the device’s security sandbox. Key vulnerabilities exploited include CVE-2024-23222, CVE-2022-48503, and several others linked to the high-profile ‘Operation Triangulation’ campaign discovered in 2023. While most of these security holes have since been patched by Apple, their consolidation into a single, weaponized package represents a significant threat.

Coruna demonstrates capability against iPhone models running iOS versions from 13.0 through 17.2.1, covering devices released over a several-year period. Researchers first observed its use in early 2025 by a surveillance vendor’s client. By mid-2025, a suspected Russian espionage group was deploying it in watering hole attacks against Ukrainian websites. The most recent and financially damaging activity occurred in late 2025, when cybercriminals used fake Chinese gambling and cryptocurrency platforms to distribute the kit.

A critical breakthrough came when threat actors accidentally deployed a debug version of the kit, revealing its internal codename and the names of its components. Analysts retrieved the complete, obfuscated package and the malicious payload it delivers. This payload, a stager binary, is designed to scan a device for cryptocurrency wallet recovery phrases, bank account information, and QR codes stored in images. It can then activate additional modules to steal directly from popular wallet apps like Metamask and BitKeep.

The technical sophistication of Coruna is notable. The exploits include extensive documentation written in native English and utilize non-public exploitation techniques and mitigation bypasses. This points to a highly skilled, likely well-resourced development team. The kit’s journey through different hands, from spies to criminals, highlights an active underground market for “second-hand” zero-day exploits, where powerful digital weapons are traded and repurposed.

Security guidance is clear: Users must update their iPhones to the latest version of iOS, as Coruna is not effective against current software. For devices that cannot be upgraded, enabling Lockdown Mode or using private browsing sessions can neutralize the threat, as the kit’s code includes checks to avoid executing under these specific defensive configurations.

Independent analysis from other security firms confirms the broad risk. Unlike targeted spyware, this campaign represents a shift toward large-scale, opportunistic attacks against everyday users. Visiting a compromised website with a vulnerable iOS version was enough to trigger an infection. Researchers have also noted technical similarities between Coruna’s code and frameworks historically associated with threat actors linked to the U.S. government, adding another layer of complexity to its origins.

The proliferation of such a comprehensive exploit kit underscores the persistent danger of unpatched vulnerabilities and the fluid nature of cyber threats as tools migrate between different actors with varying motives.

(Source: HelpNet Security)