Unveiling Coruna: The Sophisticated iOS Exploit Kit Compromising Thousands of iPhones
In a significant cybersecurity revelation, Google’s Threat Intelligence Group (GTIG) has identified Coruna, an advanced iOS exploit kit responsible for compromising thousands of iPhones throughout 2025. This sophisticated toolkit encompasses 23 exploits across five complete exploit chains, targeting devices running iOS versions from 13.0 to 17.2.1.
Discovery and Characteristics of Coruna
The Coruna exploit kit emerged as a modular and highly advanced attack framework aimed at Apple iPhone models spanning several iOS versions released between September 2019 and December 2023. GTIG’s discovery was facilitated when a threat actor inadvertently deployed a debug version of the framework, revealing internal code names and the kit’s identity.
Notably, Coruna’s exploits are meticulously documented in native English, with its most sophisticated components employing non-public exploitation techniques and mitigation bypasses. These attributes are indicative of nation-state-level tooling, underscoring the kit’s advanced nature.
Evolution Through Three Distinct Phases
GTIG’s analysis traced Coruna’s progression through three distinct threat actor ecosystems over the course of 2025, providing rare insight into how elite exploit kits transition from commercial surveillance vendors to state-sponsored espionage groups and eventually to financially motivated cybercriminals.
1. February 2025 – Commercial Surveillance Deployment:
Initial detection of Coruna occurred when GTIG intercepted parts of an iOS exploit chain delivered via a novel JavaScript framework. This framework employed unique obfuscation techniques and device fingerprinting to identify specific iPhone models and iOS versions. Upon identification, it loaded the appropriate WebKit remote code execution (RCE) exploit, followed by a Pointer Authentication Code (PAC) bypass.
2. Summer 2025 – Russian Espionage Activities (UNC6353):
The identical JavaScript framework was discovered hosted on `cdn.uacounter[.]com`, embedded as a hidden iFrame across numerous compromised Ukrainian websites spanning industrial, retail, and e-commerce sectors. Exploits were selectively delivered based on geolocation to iPhone users. GTIG promptly alerted CERT-UA to remediate the affected websites.
3. Late 2025 – Chinese Financial Fraud Operations (UNC6691):
The complete Coruna exploit kit was retrieved from an extensive network of fraudulent Chinese financial and cryptocurrency websites designed to lure iOS users. One such fake WEEX crypto exchange site displayed pop-ups specifically urging users to visit via iPhone, indicating a targeted approach.
Comprehensive Exploit Arsenal
Coruna’s arsenal comprises 23 exploits spanning five full exploit chains, facilitating WebKit RCE, PAC bypasses, sandbox escapes, privilege escalation (PE), and Page Protection Layer (PPL) bypasses. Key vulnerabilities targeted include:
– WebContent R/W Exploits:
– Buffout (iOS 13 → 15.1.1): CVE-2021-30952
– Jacurutu (iOS 15.2 → 15.5): CVE-2022-48503
– Terrorbird (iOS 16.2 → 16.5.1): CVE-2023-43000
– Cassowary (iOS 16.6 → 17.2.1): CVE-2024-23222
– Sandbox Escape:
– IronLoader (iOS 16.0 → 16.3.1): CVE-2023-32409
– Privilege Escalation:
– Photon (iOS 14.5 → 15.7.6): CVE-2023-32434
– PPL Bypasses:
– Gallium (iOS 14.x): CVE-2023-38606
– Sparrow (iOS 17.0 → 17.3): CVE-2024-23225
– Rocket (iOS 17.1 → 17.4): CVE-2024-23296
Notably, the Photon and Gallium exploits target vulnerabilities previously utilized in Operation Triangulation, an iOS espionage campaign discovered by Kaspersky in 2023.
PlasmaLoader: The Financial Theft Payload
At the culmination of the exploit chain, a stager binary named PlasmaLoader (tracked as PLASMAGRID) injects itself into `powerd`, a root-level iOS daemon, masquerading as `com.apple.assistd`. This payload specifically targets 18 cryptocurrency wallet applications, including MetaMask, BitKeep, and Phantom, by hooking their functions to exfiltrate sensitive data.
Additionally, PlasmaLoader scans Apple Notes for BIP39 seed phrases and keywords such as backup phrase or bank account. All logging strings and code comments are written in Chinese, with evidence of large language model-generated comment structures, strongly indicating development by Chinese-speaking individuals.
Network communication is conducted over HTTPS with AES encryption, ensuring secure data transmission to command and control servers.
Implications and Recommendations
The discovery of Coruna underscores the evolving sophistication of exploit kits targeting iOS devices. Its progression from commercial surveillance to state-sponsored espionage and financial fraud highlights the diverse motivations behind such cyber threats.
Recommendations for Users:
– Immediate Software Updates: Ensure all iOS devices are updated to the latest available versions to mitigate vulnerabilities exploited by Coruna.
– Vigilance Against Phishing: Exercise caution when accessing financial or cryptocurrency websites, especially those prompting specific device usage.
– Regular Security Audits: Conduct periodic reviews of device security settings and installed applications to detect unauthorized changes.
Recommendations for Organizations:
– Enhanced Monitoring: Implement advanced threat detection systems capable of identifying sophisticated exploit kits like Coruna.
– Employee Training: Educate staff on recognizing and avoiding phishing attempts and suspicious websites.
– Incident Response Planning: Develop and regularly update incident response plans to address potential breaches promptly.
By adopting these measures, both individuals and organizations can bolster their defenses against advanced threats like the Coruna exploit kit, safeguarding sensitive information and maintaining device integrity.
