Coruna iOS Exploit Kit Threatens Mobile & Wireless Users
Google and iVerify have uncovered a sophisticated iOS exploit kit, Coruna, originally developed by Russian state actors and now repurposed for global criminal campaigns. This tool, containing 23 exploits across five chains, targets iOS versions 13 through 17.2.1, highlighting critical vulnerabilities in mobile & wireless ecosystems.
Origins and Evolution of Coruna
First detected by Google in February 2025, Coruna was initially used by Russian state-sponsored groups like UNC6353 against Ukrainian users. By late 2025, it had transitioned to financially motivated actors in China, such as UNC6691, who leveraged it for cryptocurrency wallet theft. iVerify later identified the same kit under the name CryptoWaters, emphasizing its shift from surveillance to mass exploitation.
How Coruna Works
Coruna employs watering hole attacks, luring users to fake websites (e.g., a counterfeit WEEX crypto exchange) to deliver exploits via hidden iFrames. Once triggered, the kit uses Remote Code Execution (RCE) and Local Privilege Escalation (LPE) to compromise devices. Researchers found debug versions of the kit, revealing internal code names and exploit chains targeting iOS 13–17.2.1.
Protecting Your Mobile & Wireless Devices
- Update iOS: Upgrade to iOS 17.3 or newer to block Coruna’s exploits.
- Enable Lockdown Mode: This feature prevents exploit delivery and is automatically detected by Coruna.
- Avoid Suspicious Sites: Refrain from visiting untrusted crypto or financial websites.
Why This Matters for Mobile & Wireless Security
Coruna’s transition from nation-state tools to criminal use underscores the growing threat to mobile & wireless users. Its ability to bypass advanced iOS protections highlights the need for proactive security measures. Both Google and iVerify are continuing their analysis, with plans to release further details on indicators of compromise (IOCs) and mitigation strategies.
Conclusion and Call to Action
Stay vigilant: Ensure your iOS devices are updated and enable Lockdown Mode if you suspect exposure. For deeper insights, follow ongoing research from Google and iVerify as they unravel more about Coruna’s capabilities.
FAQs
How does the Coruna iOS exploit kit affect Mobile & Wireless users?
Coruna targets iOS devices via watering hole attacks, exploiting vulnerabilities in older iOS versions to steal cryptocurrency and personal data.
Can Lockdown Mode prevent Coruna attacks?
Yes, Lockdown Mode blocks exploit delivery and is automatically detected by Coruna, preventing further compromise.
Why is iOS 17.3 critical for security?
iOS 17.3 includes patches for vulnerabilities exploited by Coruna, making it the most effective defense against this threat.
What are watering hole attacks?
These attacks lure users to compromised websites, where exploits are delivered automatically. Coruna uses this method to target iOS users globally.
How can I check if my iOS device is vulnerable?
Review your iOS version in Settings > General > About. If it’s older than 17.3, update immediately to protect against known exploits.








