Google reveals Coruna exploit kit that hijacked older iPhones for theft

Google’s Threat Intelligence Group disclosed that a sophisticated exploit framework it calls Coruna quietly compromised older iPhones to harvest financial data, a campaign researchers say moved from targeted surveillance to mass criminal abuse. The March 5 disclosure, backed by independent reverse engineering from mobile security firm iVerify, shows the toolkit contained five full iOS exploit chains built from 23 individual exploits and was able to target devices running iOS 13.0 through 17.2.1.

GTIG said it first captured elements of the chain in February 2025 from a customer of an unnamed commercial surveillance vendor and subsequently collected “a few hundred samples covering a total of five full iOS exploit chains.” A debug instance left in the clear allowed investigators to recover internal exploit names and confirm the internal label Coruna. iVerify published a corroborating analysis the same day and used the name CryptoWaters for the same toolkit.

Researchers traced a clear progression in 2025. GTIG observed reuse of the framework in summer 2025 by a suspected Russian espionage actor known as UNC6353, which embedded the exploit as hidden iframes on compromised Ukrainian websites. GTIG worked with Ukraine’s CERT-UA to clean up those sites. By late 2025 the same toolkit appeared across a network of fake Chinese financial websites operated by UNC6691, a financially motivated, China-based threat actor; iVerify found that deployment “contained no geolocation filtering,” meaning any vulnerable iPhone visiting those pages was at risk.

The attacks began with malicious web pages running hidden JavaScript that silently fingerprinted the visitor’s iPhone model, iOS version, and security settings before delivering a matching WebKit remote-code-execution exploit. Security analysis details multiple mitigation bypasses and reusable modules that raise the toolkit’s technical value. “Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation, discovered by Kaspersky in 2023. The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities. For example, there is a module called `rwx_allocator` using multiple techniques to bypass various mitigations preventing allocation of RWX memory pages in userland,” SecurityAffairs reported quoting the technical work.

After initial compromise, a stager dubbed PlasmaLoader injects into a root daemon and deploys encrypted, compressed payloads disguised as .min.js files, tailored to specific chips and iOS versions. SecurityAffairs also noted kernel exploits include modules designed to bypass kernel-mode PAC protections. GTIG said the toolkit avoids devices in Lockdown Mode and avoids private browsing sessions, terminating if those defenses are detected.

iVerify framed the findings in broader terms: “Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations. Furthermore, it confirms what iVerify has long argued: the mobile threat landscape is not standing still, and the tools once reserved for targeting heads of state are now being deployed against ordinary iPhone users.”

GTIG emphasized uncertainty about provenance while warning the pattern “suggests an active market for 'second hand' zero-day exploits.” Key open questions remain: researchers have not published a complete list of CVE identifiers, the surveillance vendor and initial customer remain unnamed, and the total number of infected devices is unknown. For now, researchers say the clearest defenses are installing Apple’s latest iOS updates and exercising caution when visiting unfamiliar financial websites; GTIG’s remediation work with CERT-UA also underscores the role of rapid cleanup once malicious infrastructure is identified.