Executive Summary
In early 2025, the Coruna exploit kit emerged as a sophisticated tool targeting Apple iOS devices, leveraging 23 vulnerabilities across five exploit chains to compromise devices running iOS versions 13.0 through 17.2.1. Initially utilized by a surveillance vendor's client, it was later deployed by Russian state-backed group UNC6353 in mid-2025 and by Chinese financially motivated actor UNC6691 by late 2025, leading to significant data breaches and financial losses. (bleepingcomputer.com)
The Coruna exploit kit's evolution underscores the escalating sophistication of cyber threats targeting mobile devices, highlighting the critical need for timely security updates and robust defense mechanisms to protect sensitive user data and maintain device integrity.
Why This Matters Now
The Coruna exploit kit's widespread use by multiple threat actors in 2025 highlights the urgent need for organizations and individuals to update their iOS devices to the latest versions to mitigate potential security risks.
Attack Path Analysis
The Coruna exploit kit was initially deployed by a surveillance vendor's customer in early 2025, targeting iOS devices through sophisticated exploit chains. Subsequently, Russian espionage group UNC6353 utilized the kit in mid-2025 to compromise Ukrainian websites, leading to the infection of iPhone users. Later in 2025, Chinese threat actor UNC6691 employed Coruna on fake gambling and cryptocurrency sites to steal financial information from victims' devices. The attackers established command and control channels to exfiltrate sensitive data, including cryptocurrency wallet credentials. The impact was significant, with thousands of iOS devices compromised, leading to substantial financial losses and privacy breaches.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in iOS devices through malicious websites, leading to remote code execution.
Related CVEs
CVE-2023-41974
CVSS 7.8A use-after-free issue in the Kernel allows an app to execute arbitrary code with kernel privileges.
Affected Products:
Apple iOS – < 17.0
Apple iPadOS – < 17.0
Exploit Status:
exploited in the wildCVE-2024-23222
CVSS 8.8A type confusion issue in WebKit allows processing of maliciously crafted web content to lead to arbitrary code execution.
Affected Products:
Apple iOS – < 17.3
Apple iPadOS – < 17.3
Exploit Status:
exploited in the wildCVE-2023-43000
CVSS 8.8A use-after-free issue in WebKit allows processing of maliciously crafted web content to lead to memory corruption.
Affected Products:
Apple iOS – < 16.6
Apple iPadOS – < 16.6
Apple macOS – < 13.5
Apple Safari – < 16.6
Exploit Status:
exploited in the wildCVE-2023-43010
CVSS 8.8A memory handling issue in WebKit allows processing of maliciously crafted web content to lead to memory corruption.
Affected Products:
Apple iOS – < 17.2
Apple iPadOS – < 17.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Drive-by Compromise
Exploitation for Client Execution
Exploitation for Privilege Escalation
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: JavaScript
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High-value cryptocurrency theft targets via Coruna exploit kit on gambling/crypto websites expose financial institutions to client asset loss and regulatory compliance violations.
Government Administration
CISA mandated federal agency iOS patching by March 26 due to suspected Russian state-backed cyberespionage attacks targeting government officials and sensitive information.
Gambling/Casinos
Direct targeting through fake gambling websites delivering Coruna exploit payloads creates immediate operational risk and customer financial data exposure for gaming operators.
Computer/Network Security
Zero-day exploit kit targeting older iOS devices requires immediate security vendor response, threat intelligence updates, and enhanced mobile device management solutions.
Sources
- Apple patches older iPhones and iPads against Coruna exploitshttps://www.bleepingcomputer.com/news/apple/apple-patches-older-iphones-and-ipads-against-coruna-exploits/Verified
- About the security content of iOS 15.8.7 and iPadOS 15.8.7https://support.apple.com/en-us/126632Verified
- About the security content of iOS 16.7.15 and iPadOS 16.7.15https://support.apple.com/en-us/126646Verified
- CISA warns feds to patch iOS flaws exploited in crypto-theft attackshttps://www.bleepingcomputer.com/news/security/cisa-warns-of-apple-flaws-exploited-in-spyware-crypto-theft-attacks/Verified
- Spyware-grade Coruna iOS exploit kit now used in crypto theft attackshttps://www.bleepingcomputer.com/news/security/spyware-grade-coruna-ios-exploit-kit-now-used-in-crypto-theft-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attackers' ability to exploit vulnerabilities, escalate privileges, and exfiltrate sensitive data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely have constrained the attacker's ability to exploit vulnerabilities by enforcing strict segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have restricted the attacker's ability to escalate privileges by enforcing least-privilege access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have constrained lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely have limited the attacker's ability to establish command and control channels by providing comprehensive monitoring and policy enforcement.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely have restricted data exfiltration by controlling outbound traffic and enforcing data loss prevention policies.
The implementation of CNSF controls would likely have reduced the overall impact by limiting the attacker's reach and ability to exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Mobile Device Security
- Data Protection
- User Privacy
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data, including cryptocurrency wallet information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block exploit attempts targeting known vulnerabilities.
- • Enforce zero trust segmentation to limit lateral movement within networks, reducing the potential spread of infections.
- • Utilize egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy threat detection and anomaly response mechanisms to identify and respond to suspicious activities promptly.
- • Ensure all devices and systems are regularly updated to patch known vulnerabilities and reduce the attack surface.
