Coruna Exploit Kit: How a Sophisticated Toolkit Targets Older iPhones

The Coruna Exploit Kit: A New Threat for Older iPhones

Cybersecurity experts at Google have pulled back the curtain on a remarkably advanced piece of malware. Dubbed Coruna, this exploit kit represents one of the most comprehensive collections of iOS vulnerabilities ever seen in active attacks. It’s a toolkit built not for mass infection, but for precise, targeted compromise.

The kit contains five complete exploit chains and leverages 23 distinct vulnerabilities. Its goal is singular: to silently infiltrate Apple iPhones and siphon off sensitive financial information. What makes Coruna particularly concerning is its sophistication. Researchers note it employs several previously unseen exploitation methods and cleverly bypasses Apple’s built-in security mitigations.

From Espionage to Financial Theft: The Kit’s Evolving Use

The story of Coruna’s discovery reads like a cyber-thriller. First spotted in early 2025, its initial use was linked to a customer of a commercial surveillance vendor. The plot thickened later that year when investigators traced the same tools to highly targeted attacks against users in Ukraine. These operations were attributed to a suspected Russian espionage group known as UNC6353.

By late 2025, the toolkit’s purpose had shifted. It reappeared in broader campaigns orchestrated by a financially motivated actor operating from China, tracked as UNC6691. This group distributed the exploits through a network of convincing fake websites. Posing as legitimate financial and cryptocurrency platforms, these sites lured victims into visiting with their iPhones.

The attack was stealthy. A hidden frame on the webpage would silently deliver the exploit kit the moment an iOS device loaded the site. Researchers managed to recover hundreds of samples during this phase, painting a clear picture of the operation’s scale.

How the Coruna Exploit Kit Operates

This isn’t a blunt instrument. The framework surrounding the exploits is highly engineered for efficiency and evasion. It begins with a reconnaissance phase. Before firing a single exploit, the kit first profiles the visitor’s device. It identifies the exact iPhone model and iOS version, like a burglar casing a house.

Only after this fingerprinting does it select the correct, compatible exploit chain from its arsenal. This tailored approach increases its success rate dramatically. The kit’s key technical features include:

• Precise Device Fingerprinting: Identifies specific iPhone models and software versions to choose the right attack path.
• Automatic Vulnerability Selection: Picks the perfect WebKit flaw to exploit based on the device profile.
• Advanced Bypass Techniques: Designed to circumvent Apple security protections like pointer authentication.
• Stealthy Delivery: Uses custom encryption and compression to hide its malicious payloads during delivery.

A final binary loader then deploys the attack’s last stage once the initial browser exploit succeeds, completing the device compromise.

The Ultimate Goal: Stealing Your Financial Data

What happens after the phone is hacked? Unlike many surveillance tools, Coruna’s payload, called PlasmaLoader, has a very specific focus. It installs itself within a system process and goes hunting for money.

The malware scans the device’s stored images, looking for QR codes that might lead to crypto wallets or accounts. It rummages through text files, searching for tell-tale keywords like “backup phrase,” “seed phrase,” or “bank account.” Its objective is to find cryptocurrency wallet recovery phrases—the keys to a digital fortune. Any discovered data is immediately transmitted to servers controlled by the attackers.

Is your device safe? There is a clear line of defense. Google confirms the exploit kit is ineffective against the latest iOS versions. The company has already added related malicious domains to its Safe Browsing protection lists. The advice from experts is straightforward and emphatic: update your device. Installing the newest iOS software is the single most effective action you can take. For devices that can no longer receive updates, enabling Apple’s Lockdown Mode provides a critical layer of additional protection.