Recent investigations have uncovered a sophisticated exploit kit targeting iOS devices, known as ‘Coruna’. Initially developed for state-sponsored activities, this kit has now been repurposed for widespread cyber attacks, affecting users globally.
Discovery of Coruna
Both Google Threat Intelligence Group (GTIG) and iVerify have conducted separate analyses of this iOS threat. GTIG first identified the threat in February 2025, later revealing the kit’s name as Coruna. Independently, iVerify discovered the same exploit kit, undertaking weeks of technical analysis to understand its intricacies.
The reports from both entities describe Coruna as comprising 23 exploits across five chains aimed at iOS versions 13 through 17.2.1. GTIG emphasizes the advanced nature of these exploits, employing undisclosed techniques to bypass security measures, while iVerify notes the unprecedented mass exploitation of iOS devices.
Nation-State and Criminal Use
Initially spotted in use by a commercial surveillance vendor’s client, Coruna has been deployed in attacks by UNC6353, a suspected Russian espionage group, and later by UNC6691, a Chinese financially motivated gang. This transition reflects its evolution from a surveillance tool to a mechanism for financial theft.
The exploit kit’s complexity is evident, yet it becomes ineffective against newer iOS versions. Users are advised to update to iOS 17.3 or later, or activate Lockdown Mode for enhanced security. GTIG’s analysis revealed that Coruna disengages if it detects Lockdown Mode or private browsing.
Ongoing Threat and Mitigation
Coruna’s current focus is on cryptocurrency theft, with fake websites like a mock WEEX crypto exchange enticing users to access the site via iOS devices, triggering the exploit kit. This method identifies potential crypto wallet owners and delivers the exploit kit through stealthy iFrames.
Both GTIG and iVerify continue to investigate the exploit kit, aiming to release further findings. For now, they offer the most comprehensive understanding through combined insights. The ongoing analysis emphasizes the need for vigilance and up-to-date security measures on iOS devices.
This development underscores the necessity for users to remain informed about cybersecurity threats and adopt recommended security practices to safeguard their data.
