Google's Threat Intelligence Group and iVerify have jointly exposed Coruna, a sophisticated iOS exploit kit containing five full exploit chains targeting iOS 13.0 through 17.2.1. Originally deployed by a commercial surveillance vendor's customer in early 2025, the kit was subsequently repurposed by a suspected Russian espionage group (UNC6353) targeting Ukrainian websites, and then by Chinese cybercriminals (UNC6691) running mass-scale fake financial sites to steal cryptocurrency. The payload, Plasmagrid, injects into a root-level iOS daemon and hooks into 18 crypto wallet apps including MetaMask and Exodus, scanning images for QR codes and Apple Notes for seed phrases. The case highlights a thriving secondary market for high-end zero-day exploits and exposes gaps in enterprise mobile security, which was built around device management rather than detecting OS-level exploitation. Mitigations include updating to the latest iOS and enabling Lockdown Mode.
Sort: