A beforehand undocumented set of 23 iOS exploits named “Coruna” has been deployed by a number of menace actors in focused espionage campaigns and financially motivated assaults.
The Coruna equipment accommodates 5 full iOS exploit chains, probably the most subtle leveraging personal strategies and mitigation bypasses, for iOS variations 13.0 by 17.2.1 (launched in December 2023).
Google Risk Intelligence Group (GTIG) researchers first noticed exercise associated to the Coruna exploit equipment in February 2025, in exercise attributed to a surveillance vendor buyer.
On the time, researchers obtained the JavaScript supply framework together with the exploit for CVE-2024-23222, a WebKit vulnerability that allows distant code execution on iOS 17.2.1. Apple had addressed the flaw in iOS 17.3 on January 22, 2024, after it was exploited in zero-day assaults.
The identical obfuscated framework was noticed once more in summer time, when suspected Russian cyberspies tracked as UNC6353 deployed it in watering gap assaults focusing on iPhone customers visiting compromised Ukrainian web sites for ecommerce, industrial tools and retail instruments, and native providers.
In late 2025, the exploit equipment appeared on varied faux Chinese language playing and crypto web sites. Google attributes the exercise to the financially motivated Chinese language menace actor UNC6691.
Supply: Google
Coruna exploit equipment capabilities
After acquiring the whole exploit equipment in late 2025, GTIG analysts discovered that it included 5 full exploit chains utilizing a set of 23 exploits, together with:
- WebKit distant code execution
- Pointer Authentication Code (PAC) bypasses
- Sandbox escapes
- Kernel privilege escalation
- PPL (Web page Safety Layer) bypasses
“The exploits function in depth documentation, together with docstrings and feedback authored in native English. Essentially the most superior ones are utilizing personal exploitation strategies and mitigation bypasses,” GTIG researchers say.
Among the exploits reuse vulnerabilities first recognized throughout Operation Triangulation, which was uncovered in June 2023 by Kaspersky after the cybersecurity agency found that a number of iPhones on its community had been compromised.
The corporate later found that the exploits abused undocumented {hardware} options in Apple’s units.
In accordance with GTIG researchers, Coruna fingerprints the gadget and OS model, after which selects the suitable exploit chain to execute.
If the Lockdown Mode anti-spyware safety function or personal shopping is energetic on the gadget, the framework stops.
Supply: Google
Dropping PlasmaGrid
GTIG’s evaluation discovered that one of many closing payloads delivered after a Coruna exploit chain was a stager loader referred to as PlasmaLoader, which the researchers monitor as PlasmaGrid, that’s injected into the ‘powerd’ iOS root daemon.
Nonetheless, the malware doesn’t have capabilities per a adware operation. It downloads from a command-and-control (C2) server further modules that focus on cryptocurrency pockets apps similar to MetaMask, Phantom, Exodus, BitKeep, and Uniswap.
The menace actor used faux finance and crypto-related web sites to ship the exploit equipment by attempting to persuade guests to make use of iOS units when loading the pages.
The focused information contains pockets restoration phrases (BIP39), delicate textual content strings similar to “backup phrase” and “checking account,” and information saved in Apple Memos.
The stolen information is encrypted with AES previous to exfiltration and despatched to hardcoded C2 addresses. For takedown resilience, the implant additionally features a area technology algorithm (DGA) seeded with the string “lazarus” that produces .xyz domains.
GTIG could not decide how the Coruna exploit equipment moved from serving adware campaigns linked to a surveillance vendor to financially motivated malicious actions geared toward cryptocurrency customers.
“How this proliferation occurred is unclear, however suggests an energetic marketplace for ‘second-hand’ zero-day exploits,” GTIG notes within the report.
Surveillance distributors preserve exploit kits like Coruna underneath strict restricted entry and use them in merchandise for presidency prospects working extremely focused operations. Apple has at all times claimed that such security points had been leveraged in restricted assaults geared toward high-value people.
Cell security firm iVerify says that Coruna is among the clearest examples so far of “subtle spyware-grade capabilities” that migrated “from industrial surveillance distributors into the palms of nation-state actors and, finally, mass-scale legal operations.”
This reinforces iVerify’s long-standing perception that the cell menace panorama is evolving quickly, “and the instruments as soon as reserved for focusing on heads of state are actually being deployed in opposition to odd iPhone customers.”
Google has added to Secure Searching all web sites and domains recognized whereas analyzing the Coruna exploit equipment, and recommends iOS customers to improve to the newest model. If updating isn’t doable, the recommendation is to allow Lockdown Mode.
Aside from the vulnerabilities included within the Corona exploit equipment and their codenames, GTIG’s report additionally contains indicators of compromise for the implant and modules delivered by way of the cryptocurrency-related web sites, and assault infrastructure.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
