ACCORDING to Google Threat Intelligence Group (GTIG) and iVerify, a nation-state iOS exploit kit named Coruna has moved from targeted Ukrainian users to broader criminal campaigns, with GTIG first encountering the threat in February 2025. The two analyses describe Coruna as containing 23 exploits across five full exploit chains aimed at iOS 13 through 17.2.1, and note its more advanced techniques and mitigation bypasses.
GTIG’s and iVerify’s findings also detail waterhole activity linked to Coruna, including attacks associated with UNC6353 and UNC6691, described as a suspected Russian state‑sponsored espionage group and a Chinese criminal group, respectively. The kit is described as powerful and sophisticated yet not effective against the latest iOS versions, with defence pointers urging iPhones to run iOS 17.3 or newer, and recommending enabling Lockdown Mode where updates are not possible.
The analysis also traces a shift from surveillance‑style origins to financial and cryptocurrency wallet theft, including a fake WEEX crypto exchange site used to deliver the exploit kit. 4 March 2026.