A number of iOS exploits and 5 exploit chains have been present in a single exploit package as soon as utilized by Russian state actors in opposition to Ukrainians.
Separate experiences analyzing the identical iOS menace had been revealed on the identical day by Google Risk Intelligence Group (GTIG) and iVerify. GTIG first got here throughout the menace in February 2025. It later realized, after discovering the total code, that the builders referred to as the package Coruna.
iVerify got here throughout the identical exploit package independently and has spent a number of weeks conducting its personal impartial technical evaluation. Each experiences describe Coruna as an exploit package containing 23 exploits throughout 5 full exploit chains concentrating on iOS 13 by means of 17.2.1.
GTIG says its technical worth lies within the extra superior exploits “utilizing private exploitation strategies and mitigation bypasses.” iVerify provides that that is the primary time mass exploitation in opposition to iOS units has been noticed within the public. It describes Coruna as a nation-state grade iOS exploit package now additionally within the palms of mass-scale legal operations.
This isn’t fanciful. GTIG’s longer interval of monitoring confirms sightings initially from a buyer of a business surveillance vendor, subsequent use of the identical package in watering gap assaults by UNC6353 (a suspected Russian state-sponsored espionage group) in opposition to Ukrainian customers; and later in a wider marketing campaign by UNC6691 (a financially motivated legal group working out of China).
Coruna is highly effective and complicated in each objective and design. However it isn’t efficient in opposition to the newest variations of iOS. The simplest protection is to make sure your iPhone is operating iOS 17.3 or newer.
“In cases the place an replace isn’t doable, it is suggested that Lockdown Mode be enabled for enhanced safety.” However it’s not only for the sake of Lockdown’s enhanced safety. GTIG’s code evaluation discovered the package pulls out of the gadget whether it is in Lockdown Mode, or if the consumer is in personal searching.
Coruna might have began life as a surveillance exploit package, however by the point it reached the Chinese language gang, it was closely centered on monetary and bitcoin pockets theft. By late 2025, GTIG discovered Coruna’s JavaScript framework on faux Chinese language web sites. A faux WEEX crypto change web site, for instance, makes an attempt to influence non-iOS guests to return on an iPhone or iPad gadget.
This technique serves two functions. Visiting a crypto change signifies the customer’s potential possession of crypto wallets, whereas visiting with an iOS gadget ends in rapid supply of the exploit package through a hidden iFrame.
Utilizing this course of, GTIG was capable of retrieve all of the obfuscated exploits, together with the ending payloads. GTIG additionally discovered the debug model of the exploit package, leaving all the exploits within the clear and together with their inside code names – which is the place it found the exploit package had been named Coruna internally.
In February of this yr, iVerify additionally discovered a suspicious web site (mxbc-v2[.]tjbjdod[.]cn), and found a web page internet hosting a set of exploits. It extracted as a lot of the exploits and implants because it might. “The obtained 1-click exploit chain consists of Distant Code Execution (RCE) in Safari and a Native Privilege Escalation (LPE) exploit permitting attackers to take management over contaminated units,” it experiences.
At this stage, iVerify referred to as the exploit package CryptoWaters because it contained a set of modules focused at cryptocurrency wallets and deployed as a waterhole assault. This was the identical assault methodology utilized by the Russian actors in opposition to Ukrainian customers. The faux WEEX web site found by GTIG was seemingly one in every of these waterhole websites, however the package is not focused at Ukrainians – quite at anybody and everybody utilizing an iOS gadget.
Additional evaluation of this exploit package is ongoing by each iVerify and GTIG, and each corporations intend to publish extra particulars sooner or later. For now, essentially the most full understanding exterior of the researchers themselves is more likely to come from combining the insights from these two corporations.
Each experiences present prolonged and completely different lists of IOCs.
Associated: Apple Patches iOS Zero-Day Exploited in ‘Extraordinarily Refined Assault’
Associated: New ‘ZeroDayRAT’ Adware Package Permits Complete Compromise of iOS, Android Gadgets
Associated: Apple Updates iOS and macOS to Forestall Malicious Font Assaults
Associated: Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities
