Google’s Threat Intelligence Group (GTIG) recently uncovered a sophisticated iOS exploit kit known as Coruna, which has compromised numerous iPhones. The Coruna kit, containing 23 vulnerabilities, affected devices running iOS versions from 13.0 to 17.2.1 throughout 2025.
Understanding the Coruna Exploit Kit
Coruna is a modular attack framework targeting various Apple iPhone models. It was discovered by GTIG when an error by a threat actor revealed the kit’s identity through a debug version. The exploit kit includes advanced components and uses non-public techniques, indicating that it might be of nation-state-level sophistication.
The kit’s documentation is extensively detailed in English, showcasing its complexity. It leverages unique exploitation methods and mitigation bypasses, making it a significant threat to iOS devices.
Tracking Coruna’s Development
Throughout 2025, GTIG observed Coruna being utilized across three distinct threat actor ecosystems. Initially, in February, it was linked to a commercial surveillance customer, employing a unique JavaScript framework to target specific iPhone models with a WebKit remote code execution exploit.
By summer, the same framework was found on compromised Ukrainian websites, used by Russian espionage group UNC6353. The exploits were delivered selectively based on geolocation. Later in the year, Chinese financial fraud group UNC6691 used the complete kit on fake financial websites aimed at iOS users.
Exploits and Mitigation Strategies
The Coruna kit includes five full exploit chains involving WebKit RCE, PAC bypasses, and more. Notable vulnerabilities targeted include CVEs like CVE-2021-30952 and CVE-2023-43000. Two exploits, Photon and Gallium, were previously used in a 2023 iOS espionage campaign.
A payload called PlasmaLoader is deployed at the end of the exploit chain, targeting cryptocurrency wallet apps and scanning Apple Notes for sensitive information. The code is written in Chinese, suggesting involvement of Chinese developers. Communication is encrypted, with fallback .xyz domains generated via a Domain Generation Algorithm.
GTIG has blocked related domains on Google Safe Browsing. Users are advised to update to the latest iOS version, enable Lockdown Mode if unable to update, and avoid suspicious financial sites. Monitoring for unusual network requests can help detect potential threats.
For ongoing cybersecurity updates, follow us on Google News, LinkedIn, and X, and contact us if you have stories to share.
