Sophisticated "Coruna" iOS Exploit Kit Compromises Thousands of Devices
Security researchers from Google’s Threat Intelligence Group (GTIG) have exposed Coruna, a highly advanced iOS exploit kit targeting devices running iOS 13.0 through 17.2.1. The framework, containing five exploit chains and 23 vulnerabilities, was initially developed by a commercial surveillance vendor in early 2025 before spreading to multiple threat actors.
The kit’s proliferation underscores a thriving secondary market for zero-day exploits. First detected in February 2025 by a surveillance vendor’s customer, Coruna was later adopted by UNC6353, a suspected Russian espionage group, which deployed it in watering-hole attacks against Ukrainian users via compromised local websites in summer 2025. By late 2025, UNC6691, a financially motivated Chinese threat actor, launched global campaigns using fake cryptocurrency exchanges, including WEEX, to distribute the exploit.
The final payload, PlasmaLoader (PLASMAGRID), injects into the iOS powerd root daemon, focusing on financial theft. It scans Apple Memos for BIP39 backup phrases and extracts data from wallets like MetaMask and Trust Wallet. The malware communicates via HTTPS with command-and-control (C2) servers, using a Domain Generation Algorithm (DGA) with the seed "lazarus" to generate predictable .xyz domains.
Coruna employs JavaScript fingerprinting to deliver WebKit remote code execution (RCE) exploits, followed by Pointer Authentication Code (PAC) bypasses and sandbox escapes. Payloads are encrypted with ChaCha20 and only decrypted under specific device conditions. Notably, the exploit halts if it detects Apple’s Lockdown Mode or private browsing.
Key vulnerabilities exploited include:
- CVE-2024-23222 (CVSS 8.8) – WebKit RCE (cassowary)
- CVE-2023-43000 (High) – WebKit RCE (terrorbird)
- CVE-2023-32409 (CVSS 8.6) – WebKit Sandbox Escape (IronLoader)
The discovery highlights the rapid weaponization of commercial surveillance tools by state-backed and financially motivated threat actors, with significant implications for iOS security.
Source: https://gbhackers.com/thousands-of-iphones-compromised-in-massive-hack-via-coruna-exploit-kit/
WEEX TPRM report: https://www.rankiteo.com/company/weex-global
Apple TPRM report: https://www.rankiteo.com/company/red-apple-technologies
"id": "weered1772605623",
"linkid": "weex-global, red-apple-technologies",
"type": "Cyber Attack",
"date": "2/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands',
'location': 'Ukraine',
'name': 'Ukrainian users (via compromised local '
'websites)',
'type': 'Individuals / End-users'},
{'industry': 'FinTech / Cryptocurrency',
'location': 'Global',
'name': 'WEEX (fake cryptocurrency exchange)',
'type': 'Cryptocurrency platform'}],
'attack_vector': ['Watering-hole attack',
'Compromised websites',
'Fake cryptocurrency exchanges'],
'data_breach': {'data_encryption': 'ChaCha20 (payload encryption)',
'data_exfiltration': 'Yes (via HTTPS to C2 servers)',
'personally_identifiable_information': 'Cryptocurrency wallet '
'backup phrases '
'(BIP39)',
'sensitivity_of_data': 'High (financial, personally '
'identifiable cryptocurrency access)',
'type_of_data_compromised': ['Cryptocurrency wallet backup '
'phrases',
'Apple Memos',
'MetaMask/Trust Wallet data']},
'date_detected': '2025-02',
'description': 'Security researchers from Google’s Threat Intelligence Group '
'(GTIG) have exposed *Coruna*, a highly advanced iOS exploit '
'kit targeting devices running iOS 13.0 through 17.2.1. The '
'framework, containing five exploit chains and 23 '
'vulnerabilities, was initially developed by a commercial '
'surveillance vendor in early 2025 before spreading to '
'multiple threat actors. The exploit kit was deployed in '
'watering-hole attacks and fake cryptocurrency exchange '
'campaigns, delivering the PlasmaLoader malware to steal '
'financial data, including cryptocurrency wallet backup '
'phrases.',
'impact': {'data_compromised': 'Cryptocurrency wallet backup phrases (BIP39), '
'MetaMask and Trust Wallet data, Apple Memos',
'identity_theft_risk': 'High (cryptocurrency wallet access)',
'payment_information_risk': 'High (cryptocurrency theft)',
'systems_affected': 'iOS devices (versions 13.0 through 17.2.1)'},
'investigation_status': 'Ongoing (publicly disclosed by GTIG)',
'lessons_learned': 'The rapid weaponization of commercial surveillance tools '
'by state-backed and financially motivated threat actors '
'highlights the need for robust iOS security measures, '
'including Lockdown Mode and enhanced monitoring of '
'zero-day exploit proliferation.',
'motivation': ['Espionage', 'Financial theft'],
'post_incident_analysis': {'corrective_actions': ['Patch management for iOS '
'vulnerabilities',
'Enhanced detection of '
'WebKit-based exploits and '
'JavaScript fingerprinting',
'Monitoring for '
'DGA-generated C2 domains',
'User education on risks of '
'fake cryptocurrency '
'platforms'],
'root_causes': ['Proliferation of commercial '
'surveillance tools (Coruna '
'exploit kit) in secondary markets',
'Exploitation of unpatched iOS '
'vulnerabilities (WebKit RCE, '
'sandbox escapes)',
'Use of watering-hole attacks and '
'fake cryptocurrency exchanges for '
'malware distribution']},
'recommendations': ['Enable Apple’s Lockdown Mode on high-risk devices',
'Monitor for unusual WebKit activity or JavaScript '
'fingerprinting',
'Regularly update iOS to patch known vulnerabilities',
'Avoid visiting untrusted websites or fake cryptocurrency '
'platforms',
'Use hardware wallets for cryptocurrency storage',
'Implement enhanced monitoring for DGA-generated domains '
"(e.g., *.xyz with 'lazarus' seed)"],
'references': [{'source': 'Google’s Threat Intelligence Group (GTIG)'}],
'response': {'third_party_assistance': 'Google’s Threat Intelligence Group '
'(GTIG)'},
'threat_actor': ['UNC6353 (Suspected Russian espionage group)',
'UNC6691 (Financially motivated Chinese threat actor)'],
'title': "Sophisticated 'Coruna' iOS Exploit Kit Compromises Thousands of "
'Devices',
'type': 'Exploit Kit / Malware Campaign',
'vulnerability_exploited': ['CVE-2024-23222 (WebKit RCE - cassowary)',
'CVE-2023-43000 (WebKit RCE - terrorbird)',
'CVE-2023-32409 (WebKit Sandbox Escape - '
'IronLoader)']}