A new iOS exploit kit called Coruna has been leveraged by both a suspected Russian espionage group and a Chinese cybercrime gang, according to the Google Threat Intelligence Group (GTIG).
Researchers say the toolkit was originally built by an unnamed surveillance vendor. It contains 23 exploits grouped into five exploit chains and can target iPhones running iOS 13.0 through iOS 17.2.1 (released in December 2023).
GTIG first observed Coruna in early 2025 during highly targeted attacks carried out by a customer of the surveillance vendor. By summer 2025, the same toolkit appeared in watering hole attacks against Ukrainian users. The activity was linked to UNC6353, a suspected Russian state-backed group. The malicious code was hidden inside compromised Ukrainian websites and delivered through a hidden iFrame.
Only selected iPhone users in certain locations received the exploit. The attackers used a custom JavaScript framework that checked whether the visitor was using a real iPhone and collected details such as the device model and iOS version. Based on that information, it delivered the correct WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC) bypass.
The list of exploits used by the tool includes multiple flaws (CVE-2024-23222, CVE-2022-48503, CVE-2023-43000). CVE-2024-23222 was patched by Apple on January 22, 2024, in iOS 17.3. The flaw had previously been exploited as a zero-day.
Near the end of 2025, GTIG discovered the same exploit kit on hundreds of fake Chinese finance and gambling websites. The activity was linked to UNC6691, a financially motivated threat group operating from China.
Unlike the Ukrainian campaign, the websites targeted iPhone users globally. When accessed from an iOS device, a hidden iFrame automatically delivered the exploit kit.
Researchers said they recovered hundreds of samples covering five full iOS exploit chains. The exploit kit also delivered a second-stage payload able to scan images on the device for QR codes; search for keywords like “backup phrase” and “bank account;” steal data from cryptocurrency wallet apps, including MetaMask and BitKeep.
According to researchers at mobile security firm iVerify, who also analyzed the toolkit, it is unclear how the exploit kit moved from a surveillance vendor’s customer to multiple threat groups. However, the case suggests there may be an active market for reused or “second-hand” zero-day exploits.