A sophisticated exploit kit capable of compromising Apple iPhones running iOS versions 13.0 through 17.2.1 has been uncovered by cybersecurity researchers, according to GTIG. The toolkit, internally named Coruna, includes five full exploit chains and 23 vulnerabilities designed to infiltrate devices and extract sensitive financial data.
Initially observed in early 2025, it was linked to a customer of a commercial surveillance vendor and later tracked in highly targeted attacks against Ukrainian users attributed to a suspected Russian espionage group known as UNC6353. By late 2025, the same framework reappeared in broader campaigns tied to a financially motivated actor operating from China, tracked as UNC6691, with exploits distributed through fake financial and cryptocurrency websites to lure iPhone users.
The researchers noted a loader called PlasmaLoader that installs itself in a system process to deliver the final stage after the initial browser exploit, focusing on scanning for QR codes and cryptocurrency wallet phrases to transmit data to attacker-controlled servers. Google has added related malicious domains to Safe Browsing and recommends updating to the newest software or enabling Lockdown Mode where updates are not possible.