A sophisticated iOS exploit toolkit known as Coruna has been identified as a key component behind a growing wave of cyberattacks targeting Apple devices worldwide. Security researchers from Google Threat Intelligence Group (GTIG) and mobile security firm iVerify independently analyzed the toolkit and discovered that it contains multiple exploit chains capable of compromising iPhones running older versions of Apple’s operating system.
Researchers Discover Powerful iOS Exploit Framework
According to the investigations, Coruna is a highly advanced exploit kit containing 23 separate vulnerabilities organized into five exploit chains. These chains specifically target iOS versions 13 through 17.2.1, allowing attackers to bypass security defenses and potentially gain full control of affected devices.
GTIG first detected suspicious activity linked to the toolkit in February 2025. After uncovering the complete codebase, researchers found internal references identifying the framework as Coruna. Around the same time, iVerify independently discovered the same exploit infrastructure and conducted its own detailed technical examination.
Both research teams concluded that Coruna represents nation-state-level cyber capability, originally designed for espionage operations but now increasingly used in financially motivated attacks.
From State-Sponsored Espionage to Criminal Campaigns
Initial analysis suggests the exploit kit was first deployed by a suspected Russian state-backed threat group known as UNC6353, which targeted Ukrainian users through carefully crafted “watering hole” attacks. These attacks typically involve compromising websites that specific targets are likely to visit, allowing malware to be delivered automatically.
Later investigations revealed that the same toolkit began appearing in campaigns attributed to UNC6691, a cybercriminal group believed to be operating from China. Unlike earlier espionage activity, these campaigns focus primarily on financial theft, particularly targeting cryptocurrency wallets.
Security experts say the shift illustrates how advanced cyber tools originally developed for intelligence operations can eventually spread to broader criminal ecosystems.
How the Attack Works
The attack infrastructure often relies on fake cryptocurrency-related websites designed to attract potential victims. In one example identified by researchers, a fraudulent site impersonating the WEEX cryptocurrency exchange encourages visitors to access the platform using an iPhone or iPad.
Once an iOS device loads the page, a hidden iFrame automatically deploys the exploit kit, initiating the attack sequence.
One exploit chain discovered by iVerify includes:
- Remote Code Execution (RCE) vulnerability within the Safari browser
- Local Privilege Escalation (LPE) exploit that grants attackers deeper system access
This combination enables threat actors to fully compromise the targeted device and potentially extract sensitive data or cryptocurrency wallet credentials.
Lockdown Mode and Updates Can Stop the Threat
Despite its sophistication, Coruna does not work against the latest Apple security updates. Security researchers emphasize that updating devices to iOS 17.3 or later effectively blocks the exploit kit.
Another important defense mechanism is Apple’s Lockdown Mode, a high-security setting designed to protect users from advanced targeted attacks. During their analysis, GTIG discovered that the exploit framework automatically aborts if Lockdown Mode is enabled or if the user is browsing in private mode, indicating attackers deliberately avoid environments with stronger protections.
Investigation Continues
Both GTIG and iVerify say their research into Coruna is ongoing. Each organization has released technical indicators of compromise (IOCs) to help cybersecurity professionals detect potential infections and investigate related incidents.
Experts warn that the discovery highlights the increasing sophistication of mobile cyber threats and the importance of keeping devices updated with the latest security patches.
