Multiple iOS exploits and five exploit chains have been found in a single exploit kit once used by Russian state actors against Ukrainians.
Separate reports analyzing the same iOS threat were published on the same day by Google Threat Intelligence Group (GTIG) and iVerify. GTIG first came across the threat in February 2025. It later learned, after discovering the full code, that the developers called the kit Coruna.
iVerify came across the same exploit kit independently and has spent several weeks conducting its own independent technical analysis. Both reports describe Coruna as an exploit kit containing 23 exploits across five full exploit chains targeting iOS 13 through 17.2.1.
GTIG says its technical value lies in the more advanced exploits “using non-public exploitation techniques and mitigation bypasses.” iVerify adds that this is the first time mass exploitation against iOS devices has been observed in the public. It describes Coruna as a nation-state grade iOS exploit kit now also in the hands of mass-scale criminal operations.
This is not fanciful. GTIG’s longer period of tracking confirms sightings initially from a customer of a commercial surveillance vendor, subsequent use of the same kit in watering hole attacks by UNC6353 (a suspected Russian state-sponsored espionage group) against Ukrainian users; and later in a wider campaign by UNC6691 (a financially motivated criminal group operating out of China).
Coruna is powerful and sophisticated in both purpose and design. But it is not effective against the latest versions of iOS. The easiest defense is to ensure your iPhone is running iOS 17.3 or newer.
“In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security.” But it’s not just for the sake of Lockdown’s enhanced security. GTIG’s code analysis found the kit pulls out of the device if it is in Lockdown Mode, or if the user is in private browsing.
Coruna may have started life as a surveillance exploit kit, but by the time it reached the Chinese gang, it was heavily focused on financial and bitcoin wallet theft. By late 2025, GTIG found Coruna’s JavaScript framework on fake Chinese websites. A fake WEEX crypto exchange site, for example, attempts to persuade non-iOS visitors to return on an iPhone or iPad device.
This methodology serves two purposes. Visiting a crypto exchange indicates the visitor’s potential ownership of crypto wallets, while visiting with an iOS device results in immediate delivery of the exploit kit via a hidden iFrame.
Using this process, GTIG was able to retrieve all the obfuscated exploits, including the ending payloads. GTIG also found the debug version of the exploit kit, leaving all of the exploits in the clear and including their internal code names – which is where it discovered the exploit kit had been named Coruna internally.
In February of this year, iVerify also found a suspicious website (mxbc-v2[.]tjbjdod[.]cn), and discovered a page hosting a set of exploits. It extracted as much of the exploits and implants as it could. “The obtained 1-click exploit chain consists of Remote Code Execution (RCE) in Safari and a Local Privilege Escalation (LPE) exploit allowing attackers to take control over infected devices,” it reports.
At this stage, iVerify called the exploit kit CryptoWaters since it contained a set of modules targeted at cryptocurrency wallets and deployed as a waterhole attack. This was the same attack methodology used by the Russian actors against Ukrainian users. The fake WEEX site discovered by GTIG was likely one of these waterhole sites, but the kit is no longer targeted at Ukrainians – rather at anyone and everyone using an iOS device.
Further analysis of this exploit kit is ongoing by both iVerify and GTIG, and both firms intend to publish more details in the future. For now, the most complete understanding outside of the researchers themselves is likely to come from combining the insights from these two firms.
Both reports provide lengthy and different lists of IOCs.
Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’
Related: New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks
Related: Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities
