Nation-State iOS Exploit Kit Leaked
A sophisticated iOS exploit kit called "Coruna" is now circulating, featuring 23 distinct exploits targeting versions 13 through 17.2.1. The kit, which evolved from a targeted spy tool to a mass-market criminal campaign, actively scans for crypto wallets to steal private keys. Security analysts confirmed that enabling Apple's Lockdown Mode successfully blocks all of its attack vectors.
The Coruna framework's journey began with a commercial surveillance vendor before being acquired by UNC6353, a suspected Russian espionage group, for watering-hole attacks against Ukrainian targets in mid-2025. By the end of the year, the kit had proliferated to a financially motivated Chinese actor, UNC6691, who deployed it broadly on scam websites. Technically, the kit's five exploit chains leverage known vulnerabilities, including several previously used as zero-days. Notable CVEs include CVE-2024-23222, a WebKit flaw, and CVE-2023-38606 and CVE-2023-32434, which were part of the "Operation Triangulation" campaign. The framework contains reusable modules designed to bypass core iOS security features like Pointer Authentication Code (PAC). The final payload delivered by the exploit is a stager named PlasmaLoader (or PLASMAGRID). This implant is specifically designed to steal financial data by decoding QR codes from images and scanning text files and memos for cryptocurrency wallet recovery phrases or keywords like "bank account". It can exfiltrate data from numerous apps, including MetaMask, Exodus, Trust Wallet, and Tonkeeper. The exploit actively avoids targeting devices with enhanced security enabled. Analysis of the framework's code shows it explicitly checks if a device is in Lockdown Mode or if the user is in private browsing, and it will abort the attack if either is detected. This is a deliberate evasion tactic coded by its developers. Security researchers note this incident is significant as it demonstrates a clear proliferation of sophisticated spyware from targeted nation-state use to mass-scale criminal operations. Google's Threat Intelligence Group suggests its circulation points to a thriving market for "second-hand" zero-day exploits. The mobile security firm iVerify has noted that the exploit kit bears similarities to frameworks previously developed by threat actors affiliated with the U.S. government. This observation is notable given that some of the same vulnerabilities were used in "Operation Triangulation," an attack Russia attributed to the U.S. National Security Agency in 2023.
