Google's Threat Intelligence Group (GTIG) has pulled back the curtain on one of the most technically accomplished iOS exploit kits ever documented — a toolkit so professionally built, so modular, and so thoroughly documented in fluent English that researchers are still mapping its full scope months after discovering it.
They're calling it Coruna, a name the developers themselves left baked into a debug build they accidentally deployed to a live scam site. That slip-up gave Google's researchers their clearest look yet at an exploit kit containing five complete iOS attack chains and 23 individual exploits — covering iPhones running iOS 13.0 through iOS 17.2.1, a four-year span from late 2019 to late 2023.
Coruna didn't surface all at once. Google first caught a fragment of it in February 2025, when a surveillance vendor's customer deployed part of an exploit chain using CVE-2024-23222, a WebKit vulnerability (the browser engine powering Safari), Apple had silently patched in January 2024 without crediting any external researchers — a pattern that sometimes signals a known-exploited zero-day.
By summer, the same JavaScript delivery framework appeared in a Ukrainian watering-hole operation. A domain called cdn.uacounter[.]com loaded the exploit kit as a hidden iframe on dozens of compromised Ukrainian websites — industrial suppliers, retailers, local services — and served it only to iPhone users from specific geolocations.
 |
| Coruna iOS exploit kit timeline |
GTIG attributed this campaign to UNC6353, a suspected Russian espionage group. Google worked with CERT-UA to clean up the compromised sites.
Then in December, the kit surfaced again — this time on a sprawling network of fake Chinese gambling and cryptocurrency exchange websites, operated by UNC6691, a financially motivated Chinese threat actor. This third deployment was sloppier: one actor left the debug build live, exposing the internal code names Google used to reconstruct the full kit's architecture.
Coruna is not cobbled-together malware. It's an engineered product. The JavaScript framework performs device fingerprinting — silently determining the exact iPhone model and iOS version before selecting the precise exploit chain to deliver. It bails out entirely if the device is in Lockdown Mode or private browsing, reducing noise and avoiding detection.
The 23 exploits carry internal names like cassowary, terrorbird, jacurutu, and seedbell, spanning multiple vulnerability classes: WebKit remote code execution (getting arbitrary code to run through the browser), PAC bypasses (defeating Apple's pointer authentication, a memory protection mechanism), sandbox escapes (breaking out of the restricted environment Safari runs in), and privilege escalation exploits that reach all the way to the kernel. Two of the exploits — Photon and Gallium — were previously seen in Operation Triangulation, the sophisticated iPhone espionage campaign Kaspersky uncovered in 2023.
The binary payloads are encrypted with ChaCha20, compressed with LZW, and packaged in a custom format starting with the magic bytes 0xf00dbeef. This is not amateur work.
From Surveillance Tool to Crypto Thief
The kit's final payload is where the story takes a sharp turn. Rather than the surveillance implants typically associated with commercial spyware vendors, Coruna's endgame is financial. A loader called PlasmaLoader injects itself into powerd — a legitimate iOS system daemon running as root — and then goes hunting for cryptocurrency.
The implant targets 19 crypto wallet apps, including MetaMask, Phantom, Trust Wallet, and Exodus. It scans Apple Notes for BIP39 seed phrases (the recovery words that unlock crypto wallets), looks for text patterns such as "backup phrase" or "bank account," and exfiltrates any useful information to a command-and-control server.
The payload's logging strings are written in Chinese, and some comments appear to have been generated by an AI language model. The kit also uses a domain generation algorithm — seeded, oddly, with the string "lazarus" — as a fallback if its hardcoded servers go dark.
What makes Coruna alarming isn't just its technical sophistication — it's the trajectory. A single exploit kit appears to have migrated from a commercial surveillance vendor's customer, to a state-sponsored Russian spy operation, to a financially motivated Chinese crime group. How that handoff happened remains unclear, but GTIG's researchers suggest it points to an active secondary market for "second-hand" zero-day exploits.
That means advanced, battle-tested attack tools aren't staying locked inside the intelligence community. They're moving, mutating, and eventually showing up in scam websites targeting ordinary iPhone users.
What You Should Do
The good news: Coruna is compatible with the current version of iOS. Apple has patched every vulnerability the kit relies on.
Update your iPhone now. If you cannot update for any reason, enable Lockdown Mode in Settings — Coruna's own framework is coded to detect and abandon devices running in that mode.
Google has added all identified Coruna domains to Safe Browsing, and indicators of compromise are available through the Google Threat Intelligence platform for security researchers.