A previously undocumented set of 23 iOS exploits named “Coruna” has been deployed by multiple threat actors in targeted espionage campaigns and financially motivated attacks.
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
Google Threat Intelligence Group (GTIG) researchers first observed activity related to the Coruna exploit kit in February 2025, in activity attributed to a surveillance vendor customer.
At the time, researchers obtained the JavaScript delivery framework along with the exploit for CVE-2024-23222, a WebKit vulnerability that enables remote code execution on iOS 17.2.1. Apple had addressed the flaw in iOS 17.3 on January 22, 2024, after it was exploited in zero-day attacks.
The same obfuscated framework was observed again in summer, when suspected Russian cyberspies tracked as UNC6353 deployed it in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites for ecommerce, industrial equipment and retail tools, and local services.
In late 2025, the exploit kit appeared on various fake Chinese gambling and crypto websites. Google attributes the activity to the financially motivated Chinese threat actor UNC6691.
Source: Google
Coruna exploit kit capabilities
After obtaining the complete exploit kit in late 2025, GTIG analysts found that it included five full exploit chains using a set of 23 exploits, including:
- WebKit remote code execution
- Pointer Authentication Code (PAC) bypasses
- Sandbox escapes
- Kernel privilege escalation
- PPL (Page Protection Layer) bypasses
“The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses,” GTIG researchers say.
Some of the exploits reuse vulnerabilities first identified during Operation Triangulation, which was uncovered in June 2023 by Kaspersky after the cybersecurity firm discovered that several iPhones on its network had been compromised.
The company later discovered that the exploits abused undocumented hardware features in Apple’s devices.
According to GTIG researchers, Coruna fingerprints the device and OS version, and then selects the appropriate exploit chain to execute.
If the Lockdown Mode anti-spyware protection feature or private browsing is active on the device, the framework stops.
Source: Google
Dropping PlasmaGrid
GTIG’s analysis found that one of the final payloads delivered after a Coruna exploit chain was a stager loader called PlasmaLoader, which the researchers track as PlasmaGrid, that is injected into the ‘powerd’ iOS root daemon.
However, the malware does not have capabilities consistent with a spyware operation. It downloads from a command-and-control (C2) server additional modules that target cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap.
The threat actor used fake finance and crypto-related websites to deliver the exploit kit by trying to convince visitors to use iOS devices when loading the pages.
The targeted data includes wallet recovery phrases (BIP39), sensitive text strings such as “backup phrase” and “bank account,” and data stored in Apple Memos.
The stolen data is encrypted with AES prior to exfiltration and sent to hardcoded C2 addresses. For takedown resilience, the implant also includes a domain generation algorithm (DGA) seeded with the string “lazarus” that produces .xyz domains.
GTIG couldn’t determine how the Coruna exploit kit moved from serving spyware campaigns linked to a surveillance vendor to financially motivated malicious activities aimed at cryptocurrency users.
“How this proliferation occurred is unclear, but suggests an active market for ‘second-hand’ zero-day exploits,” GTIG notes in the report.
Surveillance vendors keep exploit kits like Coruna under strict limited access and use them in products for government customers running highly targeted operations. Apple has always claimed that such security issues were leveraged in limited attacks aimed at high-value individuals.
Mobile security company iVerify says that Coruna is one of the clearest examples to date of “sophisticated spyware-grade capabilities” that migrated “from commercial surveillance vendors into the hands of nation-state actors and, ultimately, mass-scale criminal operations.”
This reinforces iVerify’s long-standing belief that the mobile threat landscape is evolving rapidly, “and the tools once reserved for targeting heads of state are now being deployed against ordinary iPhone users.”
Google has added to Safe Browsing all websites and domains identified while analyzing the Coruna exploit kit, and recommends iOS users to upgrade to the latest version. If updating is not possible, the advice is to enable Lockdown Mode.
Apart from the vulnerabilities included in the Corona exploit kit and their codenames, GTIG’s report also includes indicators of compromise for the implant and modules delivered via the cryptocurrency-related websites, and attack infrastructure.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.