Coruna iOS Exploit Kit: 23 Attacks From Spies to Criminals

A sophisticated iOS exploit kit containing 23 separate attacks has proliferated from surveillance vendors to nation-state hackers to financially motivated criminals. Google's Threat Intelligence Group tracked the toolkit—dubbed Coruna—as it spread across threat actors throughout 2025, finally recovering the complete framework from a Chinese criminal group.

The toolkit targets iPhones running iOS 13.0 through iOS 17.2.1 with five full exploit chains, hooks into 18 different crypto wallet apps, and features documentation suggesting it may have originated from U.S. government offensive tools.

The Proliferation Path

Google's research documents how Coruna traveled through the threat actor ecosystem:

February 2025: First spotted when deployed by an unnamed customer of a commercial surveillance vendor—the typical starting point for government-grade exploits.

Summer 2025: The same framework appeared in watering hole attacks by UNC6353, a suspected Russian espionage group targeting Ukrainian users. This marks the jump from controlled commercial use to nation-state offensive operations.

Late 2025: A China-based financially motivated group deployed Coruna across a network of fake financial and cryptocurrency websites, transforming the spy tool into a mass theft operation.

This trajectory—surveillance vendor to nation-state to criminal—follows patterns we've documented in previous threat intelligence reports. Tools developed for targeted operations inevitably leak, get stolen, or proliferate through the gray market.

Possible U.S. Government Connection

Both Google and mobile security firm iVerify independently assessed that Coruna shares characteristics with frameworks previously attributed to U.S. government-affiliated threat actors. Researchers connected the toolkit to Operation Triangulation, a sophisticated iOS exploitation campaign that Russian cybersecurity firm Kaspersky exposed in 2023 after discovering infections on its own employees' devices.

The Russian government attributed Operation Triangulation to U.S. intelligence agencies, though American officials never confirmed or denied involvement. If accurate, Coruna represents American offensive capabilities now being used against Ukrainian allies and for criminal profit.

Researchers uncovered the full toolkit after a threat actor deployed a debug version by mistake, exposing internal code names and documentation embedded within the framework. The English-language documentation and development conventions further suggest Western origins.

Technical Capabilities

Coruna's 23 exploits span four years of iOS development, targeting vulnerabilities across multiple system components. The toolkit features:

• Five complete exploit chains for gaining initial access and persistence
• Hooks for 18 cryptocurrency applications to exfiltrate wallet credentials
• Custom packaging formats with strong encryption
• Automated deployment through compromised websites and phishing infrastructure

The sophistication level places Coruna among the most capable mobile exploitation frameworks ever documented in the wild—comparable to NSO Group's Pegasus but now freely circulating among criminal actors.

Lockdown Mode Works

Here's the genuinely good news: Apple's Lockdown Mode completely defeats Coruna. When the toolkit detects Lockdown Mode is active, it abandons the attack entirely without attempting exploitation.

Lockdown Mode was introduced in iOS 16 specifically to protect high-risk users—journalists, activists, government officials—from sophisticated spyware. Coruna's behavior validates that design decision. The feature works as intended against exactly the threat class it was designed to counter.

For readers who may be unfamiliar with sophisticated mobile threats, our guide on malware covers how these attacks differ from traditional computer viruses and why mobile exploitation is particularly dangerous.

Who Should Be Concerned

The shift from targeted espionage to mass financial crime changes the risk calculus. Initially, Coruna threatened a small population of high-value intelligence targets. Now anyone visiting a compromised cryptocurrency or financial website faces potential exploitation.

Groups at elevated risk include:

• Cryptocurrency users actively trading or holding significant assets
• Individuals in conflict zones who may be targeted by state actors
• Business executives with access to sensitive corporate data
• Government employees even on personal devices
• Journalists and activists covering sensitive topics

The LastPass phishing campaign we covered yesterday showed how financial targets attract criminal attention. Coruna extends that threat to mobile devices previously considered more secure than desktop systems.

Protection Recommendations

1. Update iOS immediately to the latest version (iOS 17.3 or later patches all Coruna exploits)
2. Enable Lockdown Mode if you're in a high-risk category—Settings > Privacy & Security > Lockdown Mode
3. Avoid suspicious financial websites especially those discovered through ads or unsolicited messages
4. Use hardware security keys for cryptocurrency accounts rather than phone-based authentication
5. Monitor for unusual device behavior including battery drain, overheating, or unexpected data usage

Frequently Asked Questions

Am I affected if I'm running iOS 17.3 or later?

No. Coruna targets iOS 13.0 through 17.2.1. Devices running current iOS versions are protected against the documented exploit chains.

Does Lockdown Mode impact normal phone usage?

Yes, somewhat. Lockdown Mode disables certain features including message link previews, some web technologies, and FaceTime from unknown callers. For most users, the tradeoffs are minimal compared to the protection gained.

Should I assume my device was compromised if I visited cryptocurrency websites?

Not necessarily. Coruna deployment appears limited to specific fake financial sites operated by the Chinese criminal group. However, if you're in a high-risk category and visited suspicious sites while running vulnerable iOS versions, consider the device potentially compromised and consult with a security professional.