Mobile & Wireless Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Google and iVerify analysis reveals a powerful exploit kit originally used by Russian state actors that is now appearing in broader criminal campaigns. By Kevin Townsend | March 4, 2026 (11:04 PM ET) Flipboard Reddit Whatsapp Whatsapp Email Multiple iOS exploits and five exploit chains have been found in a single exploit kit once used by Russian state actors against Ukrainians. Separate reports analyzing the same iOS threat were published on the same day by Google Threat Intelligence Group (GTIG) and iVerify. GTIG first came across the threat in February 2025. It later learned, after discovering the full code, that the developers called the kit Coruna. iVerify came across the same exploit kit independently and has spent several weeks conducting its own independent technical analysis. Both reports describe Coruna as an exploit kit containing 23 exploits across five full exploit chains targeting iOS 13 through 17.2.1. GTIG says its technical value lies in the more advanced exploits “using non-public exploitation techniques and mitigation bypasses.” iVerify adds that this is the first time mass exploitation against iOS devices has been observed in the public. It describes Coruna as a nation-state grade iOS exploit kit now also in the hands of mass-scale criminal operations. This is not fanciful. GTIG’s longer period of tracking confirms sightings initially from a customer of a commercial surveillance vendor, subsequent use of the same kit in watering hole attacks by UNC6353 (a suspected Russian state-sponsored espionage group) against Ukrainian users; and later in a wider campaign by UNC6691 (a financially motivated criminal group operating out of China). Coruna is powerful and sophisticated in both purpose and design. But it is not effective against the latest versions of iOS. The easiest defense is to ensure your iPhone is running iOS 17.3 or newer. Advertisement. Scroll to continue reading. “In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security.” But it’s not just for the sake of Lockdown’s enhanced security. GTIG’s code analysis found the kit pulls out of the device if it is in Lockdown Mode, or if the user is in private browsing. Coruna may have started life as a surveillance exploit kit, but by the time it reached the Chinese gang, it was heavily focused on financial and bitcoin wallet theft. By late 2025, GTIG found Coruna’s JavaScript framework on fake Chinese websites. A fake WEEX crypto exchange site, for example, attempts to persuade non-iOS visitors to return on an iPhone or iPad device. This methodology serves two purposes. Visiting a crypto exchange indicates the visitor’s potential ownership of crypto wallets, while visiting with an iOS device results in immediate delivery of the exploit kit via a hidden iFrame. Using this process, GTIG was able to retrieve all the obfuscated exploits, including the ending payloads. GTIG also found the debug version of the exploit kit, leaving all of the exploits in the clear and including their internal code names – which is where it discovered the exploit kit had been named Coruna internally. In February of this year, iVerify also found a suspicious website (mxbc-v2[.]tjbjdod[.]cn), and discovered a page hosting a set of exploits. It extracted as much of the exploits and implants as it could. “The obtained 1-click exploit chain consists of Remote Code Execution (RCE) in Safari and a Local Privilege Escalation (LPE) exploit allowing attackers to take control over infected devices,” it reports. At this stage, iVerify called the exploit kit CryptoWaters since it contained a set of modules targeted at cryptocurrency wallets and deployed as a waterhole attack. This was the same attack methodology used by the Russian actors against Ukrainian users. The fake WEEX site discovered by GTIG was likely one of these waterhole sites, but the kit is no longer targeted at Ukrainians – rather at anyone and everyone using an iOS device. Further analysis of this exploit kit is ongoing by both iVerify and GTIG, and both firms intend to publish more details in the future. For now, the most complete understanding outside of the researchers themselves is likely to come from combining the insights from these two firms. Both reports provide lengthy and different lists of IOCs. Related : Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’ Related : New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices Related : Apple Updates iOS and macOS to Prevent Malicious Font Attacks Related : Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Quantum Decryption of RSA Is Much Closer Than Expected New ‘AirSnitch’ Attack Shows Wi-Fi Client Isolation Could Be a False Sense of Security AWS Expands Security Hub Into a Cross-Domain Security Platform The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI CISO Conversations: Timothy Youngblood; 4x Fortune 500 CISO/CSO Autonomous AI Agents Provide New Class of Supply Chain Attack NIST’s Quantum Breakthrough: Single Photons Produced on a Chip OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts Latest News Tycoon 2FA Phishing Platform Dismantled in Global Takedown New LexisNexis Data Breach Confirmed After Hackers Leak Files Zurich Acquires Beazley in $11 Billion Deal to Lead Cyberinsurance Hacker Conversations: Inti De Ceukelaire, Raging Against the Machine Creatively How Pirated Software Turns Helpful Employees Into Malware Delivery Agents AI Security Firm JetStream Launches With $34 Million in Seed Funding LastPass Warns of New Phishing Campaign Webinar Today: Designing an OT SOC for Safety, Reliability, and Business Continuity Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move JumpCloud has appointed Roland Palmer as its new Chief Information Security Officer. Nick Andersen has been appointed Acting Director of CISA after the departure of Madhu Gottumukkala. Predictive revenue system company Clari + Salesloft has named Peter Liebert as CISO. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email