TLDR
- Google uncovers Coruna exploit kit targeting iPhones for crypto theft.
- Toolkit hits iOS 13–17.2.1 using WebKit and fingerprinting exploits.
- Attackers reuse exploits in espionage and large-scale cybercrime.
- Malware hunts wallets, QR codes, and Apple Notes for sensitive data.
- Users urged to update iOS or enable Lockdown Mode immediately.
Google has identified a sophisticated iPhone exploit kit that targets devices running iOS 13 through iOS 17.2.1. Google’s Threat Intelligence Group reported that attackers used the exploit framework to steal cryptocurrency wallet data and financial information. Google also warned that multiple threat actors now deploy the toolkit in espionage operations and large cybercrime campaigns.
Google tracks spread of Coruna exploit kit across threat actors
Google’s Threat Intelligence Group discovered the exploit kit during investigations into targeted surveillance operations in early 2025. Google analysts observed attackers deploying the toolkit through a custom JavaScript framework designed to fingerprint iPhone devices. The framework identified device models and software versions before delivering tailored exploit chains.
Google later connected the same exploit framework to watering-hole attacks that targeted Ukrainian users. The malicious code appeared on compromised websites and loaded through hidden iFrames that activated when victims used iPhones. Google analysts linked those attacks to a suspected Russian espionage group tracked as UNC6353.
Google then discovered the same exploit kit operating on large networks of fraudulent Chinese financial websites. Those sites attempted to lure users with cryptocurrency trading and gambling services that appeared legitimate. Google’s investigation found that financially motivated hackers later reused the toolkit in broad cybercrime campaigns.
Google analysis shows exploit chains targeting multiple iOS versions
Google reported that the Coruna framework contains five full exploit chains and twenty-three individual vulnerabilities. The toolkit can compromise iPhones running operating systems between iOS 13 and iOS 17.2.1. Google analysts confirmed that attackers exploited WebKit browser vulnerabilities to execute malicious code on targeted devices.
The exploit framework also includes methods to bypass security protections such as pointer authentication safeguards. After initial access, attackers deploy encrypted binary payloads designed to load additional components into the operating system. Google researchers documented the use of a custom loader that injects code into the iOS power management process.
Google also reported that the exploit kit avoids devices running Lockdown Mode or private browsing sessions. The toolkit uses fingerprinting techniques to ensure that it targets genuine iPhone devices. Google’s analysis showed that attackers carefully designed the framework to deliver precise exploit chains for each device.
Google warns exploit malware searches devices for crypto wallet data
Google researchers found that the final malware payload focuses on collecting financial information stored on infected devices. The malware scans files and images for cryptocurrency wallet recovery phrases and banking references. Google reported that the code searches for BIP39 seed phrases and related wallet backup terms.
The malicious software can also analyze images stored on the device to detect QR codes containing wallet information. After finding sensitive data, the malware sends the information back to attacker-controlled command servers. Google analysts noted that the malware also searches Apple Notes for phrases related to bank accounts or recovery keys.
Google confirmed that the exploit kit no longer works on the newest iOS releases. However, Google urged users to update devices immediately if they run older operating systems. The company also recommended enabling Lockdown Mode when updates are not possible to reduce exposure to future exploitation.
