Coruna Exploit Kit: iOS 13-17.2.1 Targeted by Multiple APTs

Google Threat Intelligence Group (GTIG) has uncovered a sophisticated and highly potent exploit kit, dubbed “Coruna” by its developers, actively targeting a wide range of Apple iPhone models running iOS versions 13.0 up to 17.2.1. This comprehensive kit includes five full iOS exploit chains and a total of 23 exploits, many of which leverage non-public exploitation techniques and mitigation bypasses. The discovery highlights a troubling trend: the proliferation of advanced Zero-Day capabilities from commercial surveillance vendors to various malicious actors, including nation-state APT groups and financially motivated cybercriminals, as detailed in their report from Google Threat Intelligence Group.

Technical Details: Coruna Exploit Kit iOS 17.2.1 Vulnerabilities and Beyond

The Coruna exploit kit is meticulously engineered, utilizing a JavaScript framework that incorporates simple but effective obfuscation techniques for encoding strings and integers. This framework’s initial phase involves a robust fingerprinting module that gathers extensive device and software version data, ensuring that the appropriate [WebKit Remote Code Execution (RCE)](/glossary#rce) exploit and subsequent Pointer Authentication Code (PAC) bypass are delivered.

Over its lifecycle, Coruna has integrated and weaponized several vulnerabilities:

• WebContent R/W Exploits: These include CVE-2021-30952 (iOS 13-15.1.1), CVE-2022-48503 (iOS 15.2-15.5), CVE-2023-43000 (iOS 16.2-16.5.1), and CVE-2024-23222 (iOS 16.6-17.2.1). CVE-2024-23222 was notably identified as an in-the-wild zero-day addressed by Apple in iOS 17.3.
• WebContent Sandbox Escape: CVE-2023-32409 (iOS 16.0-16.3.1).
• Privilege Escalation (PE) Exploits: These chains feature CVE-2020-27932 (iOS 13.x), CVE-2020-27950 (iOS 13.x, an infoleak), CVE-2023-32434 (iOS 14.5-15.7.6), and CVE-2023-41974 (iOS 16.4-16.7).
• PPL Bypass Exploits: Including CVE-2023-38606 (iOS 14.x), CVE-2024-23225 (iOS 17.0-17.3), and CVE-2024-23296 (iOS 17.1-17.4).

Binary payloads within the kit are encrypted, compressed, and support specific iOS versions and chips. These sophisticated modules include reusable components like rwx_allocator for bypassing memory mitigations and kernel exploits designed to bypass kernel-mode PAC.

The PLASMAGRID Ending Payload

The final stage of the exploitation chain involves a stager binary named PlasmaLoader (tracked as PLASMAGRID), which injects itself into the powerd daemon to establish communication with a kernel component. Unlike typical surveillance payloads, PLASMAGRID focuses on financial information theft. It can decode QR codes from disk images, analyze text blobs for BIP39 word sequences or keywords like “backup phrase” and “bank account” in Apple Memos, and exfiltrate this data to its C2 server. The payload can also remotely download and run additional modules, primarily designed to exfiltrate cryptocurrency wallets and sensitive information from a wide array of financial and crypto applications, including BitKeep, MetaMask, Phantom, and Trust Wallet. Intriguingly, many of these modules contain logging in Chinese, some with characteristics suggesting LLM-generated content.

Threat Actor Attribution and Proliferation

GTIG observed Coruna’s deployment across three distinct phases, indicating a concerning trend of advanced exploit capabilities changing hands. Initially, parts of an iOS exploit chain were captured from a customer of a commercial surveillance company. This suggests the primary market for such capabilities.

Subsequently, in summer 2025, the same JavaScript framework was leveraged in watering hole attacks by UNC6353, a suspected Russian espionage group. These attacks targeted Ukrainian users via compromised websites ranging from industrial equipment to local services. This deployment highlights the use of commercially sourced capabilities by state-sponsored actors for geopolitical objectives.

Later in the year, the full Coruna exploit kit was retrieved from broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China. These campaigns involved fake Chinese financial and cryptocurrency websites designed to lure iOS users into compromise, underscoring the shift towards direct financial gain using these advanced tools.

This progression of use—from commercial surveillance to nation-state espionage, and finally to broad-scale financial crime—demonstrates an active, albeit murky, market for “second-hand” zero-day exploits and sophisticated TTPs. Understanding these actor motivations is crucial for detecting UNC6691 financial theft and similar campaigns.

Actionable Recommendations and Mitigations

The widespread capabilities of the Coruna exploit kit, coupled with its use by diverse threat actors, necessitates immediate action from security professionals and end-users.

Prioritize Updates and Hardening to Mitigate iOS Zero-Day Exploitation

• Update Immediately: The most critical recommendation for protecting against the Coruna exploit kit iOS 17.2.1 vulnerabilities is to update all Apple iPhone devices to the latest available iOS version. The Coruna exploit kit is not effective against the latest versions of iOS, as Apple has addressed the underlying vulnerabilities.
• Enable Lockdown Mode: For situations where immediate updates are not feasible, or for users requiring enhanced security, enabling Apple’s Lockdown Mode is strongly recommended. This feature provides extreme, optional protection for individuals who might be targeted by highly sophisticated cyberattacks.
• Exercise Caution with Links and Downloads: Be highly suspicious of unsolicited links, particularly those related to financial or cryptocurrency services. Attackers leveraged watering hole tactics and fake financial websites to deliver Coruna. Adopting a Zero Trust approach to unknown links and attachments is vital.
• Monitor for IoCs: Security teams should integrate the provided Indicators of Compromise (IoC) from Google Threat Intelligence Group into their detection systems (SIEM, EDR, network IDS/IPS) to identify potential compromises. Pay close attention to network traffic to and from the identified C2 domains and file hashes.
• User Awareness Training: Educate users, especially those managing cryptocurrency or sensitive financial assets, about the risks of Phishing attacks, fake websites, and the importance of verifying URLs before interacting with them. The payload’s focus on BIP39 wordlists and bank account keywords highlights the specific data at risk.

Google has taken steps to add all identified malicious websites and domains to Safe Browsing to protect users. Continued vigilance and proactive patching are paramount in defending against exploit kits of this caliber.