A sophisticated iOS exploit kit has transitioned from targeted surveillance operations to state-sponsored espionage and is now being used by financially motivated cybercriminals, according to new research from Google’s Threat Intelligence Group (GTIG).
The toolkit, named ‘Coruna’ by its developers, was tracked throughout 2025 as its use expanded from a surveillance vendor’s client to Russian-linked espionage groups and finally to criminals operating fake cryptocurrency websites.Google’s researchers first observed the Coruna exploit kit in use in by a customer of a commercial surveillance company.
By , GTIG identified its deployment in watering hole attacks against Ukrainian websites, attributed to a suspected Russian espionage group. The kit’s proliferation culminated in , when it was discovered in broad campaigns by a financially motivated threat actor using fake Chinese gambling and crypto sites to target users indiscriminately. It was during this final phase that researchers were able to retrieve the complete exploit kit.
According to Google, the Coruna kit is a powerful collection of five full iOS exploit chains and 23 total exploits. These exploits target vulnerabilities in iPhones running iOS versions from 13.0, released in , up to 17.2.1, released in . The vulnerabilities, including the known CVE-2023-32434, allow for remote code execution and sandbox escapes through web content. The payload delivered via the scam sites was designed to exfiltrate sensitive data by decoding QR codes from images, searching for keywords like “backup phrase,” and stealing data from cryptocurrency wallet apps such as Metamask and BitKeep.
The proliferation of Coruna demonstrates how advanced, likely state-level, cyber capabilities can filter down to a wider range of threat actors. According to GTIG, The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits.
The toolkit’s movement from a single surveillance vendor’s tool to a commodity used by espionage groups and later by cybercriminals suggests an active market for “second hand” zero-day exploits, though the exact method of its proliferation is not yet confirmed.
The primary mystery surrounding the Coruna kit is how it proliferated from a controlled surveillance tool to being used by multiple, disparate threat actors. Researchers from Google noted that while they tracked its usage across different groups, the specific mechanism of transfer — whether it was sold, stolen, or leaked — remains unclear.
Google has added all identified malicious domains and websites to its Safe Browsing list to protect users from further exploitation. The vulnerabilities leveraged by the Coruna kit have been patched in the latest versions of iOS. The incident highlights the ongoing threat of sophisticated mobile exploits and the importance of timely software updates for all users. The circulation of such a powerful tool among financially motivated criminals could lead to an increase in high-stakes mobile financial fraud.
To mitigate the risks posed by Coruna and similar exploit kits, users should take several steps. First and foremost, update all Apple devices to the latest available version of iOS, as this is the most effective defense. For users who cannot update or who face heightened threats, Apple’s Lockdown Mode provides an additional layer of security that effectively neutralizes this exploit kit by design. Additionally, users should exercise caution with QR codes and be wary of websites promoting cryptocurrency or gambling, especially those from unverified sources.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
