Thursday March 5, 2026 6:27 am PST by Tim Hardwick
Google's Threat Intelligence Group (GTIG) has a new report out about a powerful iOS exploit kit called "Coruna," which traveled from a surveillance vendor's customer to a Russian espionage group to Chinese cybercriminals, revealing a sophisticated exploit "supply chain" in the process.
Described as one of the most comprehensive iOS exploit toolkits to have been documented publicly, Coruna targets iPhones running iOS 13.0 through iOS 17.2.1, containing 23 exploits across four years of iOS versions.
According to GTIG, it was first spotted in February 2025, when it was used by a customer of a commercial surveillance vendor. By summer 2025, the same framework appeared in watering hole attacks (where an attacker compromises websites that their intended targets are likely to visit) by a suspected Russian espionage group targeting Ukrainian users.
Then, in late in 2025, a China-based, financially motivated actor deployed it across a large network of fake financial and crypto websites. GTIG said it was unclear how the exploit kit got passed from actor to actor, but that it suggests an active market for "second hand" zero-day exploits.
As for the kit's contents, it's described as extremely well-engineered. When someone visits an infected website, it figures out what kind of iPhone they're using and what software version it's running, then picks the right attack for that specific device. If the user has Apple's Lockdown Mode turned on though, the kit bails – it doesn't even try.
The attack code is scrambled with strong encryption, so it's hard for security researchers to intercept and analyze, and it's packaged in a custom format that the developers apparently invented themselves. The code also includes detailed notes written in English explaining how it all works, and uses attack techniques that haven't been seen publicly before, according to GTIG's analysis.
The kit targets cryptocurrency wallets and financial data, and is capable of hooking into 18 different crypto apps to exfiltrate wallet credentials. The payload can decode QR codes from images on disk, and it also has a module to analyze blobs of text to look for BIP39 word sequences or very specific keywords like "backup phrase" or "bank account." It even scans Apple Notes for typical seed phrases.
Anyone still on iOS 17.2.1 or earlier is potentially vulnerable to the exploit kit, which doesn't work against newer iOS versions, so make sure to update if you can. Otherwise, the takeaway seems to be that Apple's Lockdown Mode is doing its job to ward off such a powerful exploit kit, and that can only be good news for those who enable it.
Popular Stories
Apple Accidentally Leaks 'MacBook Neo'
Apple appears to have prematurely revealed the name of its rumored lower-cost MacBook model, which is expected to be announced this Wednesday. A regulatory document for a "MacBook Neo" (Model A3404) has appeared on Apple's website. Unfortunately, there are no further details or images available yet. While the PDF file does not contain the "MacBook Neo" name, it briefly appeared in a link...
Apple Unveils Two New Products
Apple today introduced two new devices, including the iPhone 17e and an updated iPad Air. iPhone 17e features the same overall design as the iPhone 16e, but it gains Apple's A19 chip, MagSafe for magnetic wireless charging and magnetic accessories, Apple's second-generation C1X modem for faster 5G, and a doubled 256GB of base storage. In the U.S., the iPhone 17e starts at $599, just like the ...
Apple Announces $599 'MacBook Neo' With A18 Pro Chip
Apple today announced the "MacBook Neo," an all-new kind of low-cost Mac featuring the A18 Pro chip for $599. The MacBook Neo is the first Mac to be powered by an iPhone chip; the A18 Pro debuted in 2024's iPhone 16 Pro models. Apple says it is up to 50% faster for everyday tasks than the bestselling PC with the latest shipping Intel Core Ultra 5, up to 3x faster for on-device AI workloads,...
