New iOS Exploit 'Karuna' Steals Crypto Wallets
A new iOS exploit kit named “Karuna” is actively targeting iPhone users to steal crypto wallet seed phrases. The exploit affects devices running iOS versions 13.0 through 17.2.1, prompting security warnings to update devices and enable Lockdown Mode.
The "Coruna" exploit kit represents a significant escalation in mobile device threats, bundling 23 separate vulnerabilities into five complete exploit chains. This nation-state-grade malware was first observed in early 2025 being used by a surveillance company's customer before being adopted by a Russian espionage group targeting Ukrainian websites. By late 2025, Coruna had transitioned from state-sponsored espionage to financially motivated cybercrime, with a Chinese threat group known as UNC6691 deploying it on fraudulent cryptocurrency and gambling websites. This highlights a growing trend of sophisticated government-level cyberweapons proliferating into the criminal underground for mass-market retail theft. The attack is delivered via "watering hole" tactics, where visiting a compromised website from a vulnerable iPhone is enough to trigger the exploit chain through a hidden iFrame, with no user interaction required. The framework is engineered to first check the device's iOS version and whether Lockdown Mode is enabled, backing off if it is, to avoid detection. Once a device is compromised, a payload called PlasmaLoader is injected into a root-level iOS system process. This malware is specifically designed to steal financial data by hooking into at least 18 cryptocurrency wallet applications, including MetaMask, Phantom, and BitKeep, to intercept sensitive wallet information. The malware actively scans for QR codes in images and searches through files and notes for keywords like "backup phrase" or "bank account". This allows attackers to siphon private keys and seed phrases, giving them the ability to drain user funds before the victim is even aware of the compromise. The exploit kit's code was inadvertently exposed when a threat actor deployed a debug version, providing researchers at Google's Threat Intelligence Group a rare look into its internal structure and documentation. This discovery has provided crucial insights into how these advanced mobile attack tools are constructed and circulated. While the exploit is potent, it is ineffective against the latest versions of iOS. Users are strongly urged to update to iOS 17.3 or newer. For those unable to update, enabling Lockdown Mode or using private browsing can neutralize the threat as the Coruna framework is designed to abort its execution under these conditions.
