A sophisticated exploit kit capable of compromising Apple iPhones running iOS versions 13.0 through 17.2.1 has been uncovered by cybersecurity researchers.
Google's Threat Intelligence Group (GTIG) said the toolkit, internally named Coruna, includes 5 full exploit chains and 23 vulnerabilities designed to infiltrate devices and extract sensitive financial data.
The newly identified toolkit is among the most comprehensive collections of iOS exploits observed in the wild. GTIG said several of the techniques rely on previously unseen exploitation methods and mitigation bypasses.
Initially observed in early 2025, the toolkit was first linked to a customer of a commercial surveillance vendor. Later in the year, investigators tracked its use in highly targeted attacks against Ukrainian users, attributed to a suspected Russian espionage group known as UNC6353.
What the Coruna Exploit Kit Does
By late 2025, the same exploit framework appeared again in broader campaigns tied to a financially motivated actor operating from China, tracked as UNC6691. In that case, the exploits were distributed through fake financial and cryptocurrency websites designed to lure victims into visiting the pages with an iPhone.
The websites injected a hidden frame that silently delivered the exploit kit once an iOS device accessed the page. Researchers recovered hundreds of samples of the toolkit during this phase of the investigation.
GTIG said the exploit chains target a wide range of Apple devices and system versions, combining multiple vulnerabilities to gain deeper access to the operating system.
The framework surrounding the exploits is highly engineered. It first profiles a visitor's device to determine the iPhone model and iOS version before selecting the correct exploit chain.
Key characteristics of the exploit kit include:
-
Device fingerprinting to identify specific iPhone models and software versions
-
Automatic selection of compatible WebKit vulnerabilities
-
Techniques designed to bypass Apple security protections, such as pointer authentication
-
Custom encryption and compression methods used to deliver payloads
The researchers also observed a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds.
Financial Data Theft Capabilities
Once the exploit chain completes, a loader referred to as PlasmaLoader installs itself within a system process on the device. Instead of traditional surveillance features, the payload focuses on financial data collection.
It can scan stored images for QR codes and search text files for cryptocurrency wallet recovery phrases or keywords such as "backup phrase" or "bank account". If detected, the information is transmitted to attacker-controlled servers.
Google said the exploit kit is ineffective against the latest iOS versions. The company has added related malicious domains to Safe Browsing and recommends users update their devices to the newest software release or enable Lockdown Mode where updates are not possible.