New Exploit Kit Discovered Targeting iPhone Users
Threat analysts at Google have identified a recently unveiled exploit kit specifically aimed at Apple iPhone users, with the primary intention of pilfering cryptocurrency wallet seed phrases.
Dubbed “Coruna” by its creators, this kit is engineered to target iPhones operating on iOS versions ranging from 13.0 to 17.2.1.
It encompasses “five comprehensive iOS exploit chains along with a total of 23 exploits,” several of which remain previously undisclosed, as reported by the Google Threat Intelligence Group (GTIG) earlier this week.
The discovery of this exploit kit was first made in February 2025, and the GTIG has since observed its deployment by a suspected Russian espionage group against Ukrainian entities.
Additionally, instances have emerged implicating the kit on counterfeit Chinese cryptocurrency websites designed for illicit information extraction.
According to GTIG, the exploit kit is ineffective against the latest iOS version; thus, it strongly urges iPhone users to ensure their devices are updated with the most current software.
In cases where upgrading is unfeasible, users should activate the “Lockdown Mode,” a measure advised by Apple to thwart advanced attacks.
Kit Exploits Cryptocurrency Through Deceptive Websites
In its analysis, GTIG discovered components of an iOS exploit in February 2025, wherein a client of a surveillance enterprise utilized JavaScript to fingerprint devices, subsequently delivering the pertinent exploit.
Later that year, identical JavaScript frameworks were detected across numerous compromised Ukrainian websites, which only served to selected iPhone users based on specific geolocations.
Subsequently, the GTIG reported finding the same framework in December on an extensive array of fraudulent Chinese websites, predominantly concerning financial transactions, including a site mimicking the cryptocurrency exchange WEEX.
When users navigate these websites using iOS devices, the framework deploys the exploit kit, scouring for financial data, notably scrutinizing messages that contain seed phrases or keywords like “backup phrase” and “bank account.”
The Coruna kit further seeks out popular cryptocurrency applications, including Uniswap and MetaMask, in its relentless pursuit of sensitive information.
Debate Over Coruna’s Possible US Intelligence Origins
Notably, GTIG refrained from identifying the surveillance company client from which the exploit kit purportedly originated. However, mobile security firm iVerify suggested to WIRED that it may have been developed or acquired by the US government.
“It’s exceptionally sophisticated, requiring millions of dollars to create, and shows resemblance to other modules publicly attributed to entities within the US government,” remarked iVerify co-founder Rocky Cole to WIRED.
“This marks the inaugural instance we’ve seen of what is likely US government tools—based on our analysis of the code—spiraling out of control and falling into the hands of both adversaries and cybercriminal factions.”
Conversely, a principal security researcher from Kaspersky informed The Register that their analysis found “no substantial evidence of actual code reuse in the reports available for attributing Coruna to the same developers.”
Source link: Tradingview.com.
