Executive Summary
In February 2025, Google's Threat Intelligence Group (GTIG) identified 'Coruna,' a sophisticated iOS exploit kit comprising 23 vulnerabilities across five exploit chains, targeting devices running iOS 13 through 17.2.1. Initially deployed by a surveillance vendor for government clients, Coruna was later utilized by Russian state actors in espionage campaigns against Ukrainian users. By December 2025, the exploit kit had proliferated to financially motivated Chinese cybercriminals, who employed it to steal cryptocurrency from over 42,000 iOS devices via malicious websites. This rapid transition from state-sponsored espionage to widespread financial crime underscores the growing commercialization and accessibility of nation-state-level cyber tools. The Coruna incident highlights the urgent need for organizations to stay vigilant against advanced threats, as sophisticated exploit kits once exclusive to government entities are increasingly available to cybercriminals, posing significant risks to both individuals and enterprises.
Why This Matters Now
The Coruna exploit kit's rapid transition from state-sponsored espionage to widespread financial crime underscores the growing commercialization and accessibility of nation-state-level cyber tools. This trend poses significant risks to both individuals and enterprises, necessitating heightened vigilance and proactive cybersecurity measures.
Attack Path Analysis
The Coruna exploit kit, initially developed for nation-state surveillance, was repurposed by various threat actors to target iOS devices. Attackers exploited multiple zero-day vulnerabilities to gain initial access, escalated privileges to execute arbitrary code, moved laterally within the device to access sensitive data, established command and control channels, exfiltrated data such as cryptocurrency wallet information, and ultimately impacted victims by draining their funds.
Kill Chain Progression
Initial Compromise
Description
Attackers utilized the Coruna exploit kit to exploit multiple zero-day vulnerabilities in iOS devices, gaining initial access without user interaction.
Related CVEs
CVE-2025-31277
CVSS 8.8A memory corruption vulnerability in JavaScriptCore allows remote attackers to execute arbitrary code on affected iOS devices.
Affected Products:
Apple iOS – 18.4, 18.5, 18.6, 18.7
Exploit Status:
exploited in the wildCVE-2025-43529
CVSS 8.8A memory corruption vulnerability in JavaScriptCore allows remote attackers to execute arbitrary code on affected iOS devices.
Affected Products:
Apple iOS – 18.4, 18.5, 18.6, 18.7
Exploit Status:
exploited in the wildCVE-2026-20700
CVSS 7.8A user-mode pointer authentication code bypass in dyld allows attackers to execute arbitrary code with kernel privileges on affected iOS devices.
Affected Products:
Apple iOS – 18.4, 18.5, 18.6, 18.7
Exploit Status:
exploited in the wildCVE-2025-14174
CVSS 8.8A memory corruption vulnerability in ANGLE allows remote attackers to execute arbitrary code on affected iOS devices.
Affected Products:
Apple iOS – 18.4, 18.5, 18.6, 18.7
Exploit Status:
exploited in the wildCVE-2025-43510
CVSS 7.8A kernel memory management flaw in iOS allows attackers to execute arbitrary code with kernel privileges on affected devices.
Affected Products:
Apple iOS – 18.4, 18.5, 18.6, 18.7
Exploit Status:
exploited in the wildCVE-2025-43520
CVSS 7.1A kernel memory corruption vulnerability in iOS allows attackers to execute arbitrary code with kernel privileges on affected devices.
Affected Products:
Apple iOS – 18.4, 18.5, 18.6, 18.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Obtain Capabilities: Malware
Develop Capabilities: Malware
Valid Accounts
Exploitation for Client Execution
Command and Scripting Interpreter
Indicator Removal on Host
Phishing
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Nation-state exploit kits democratization creates severe risks for financial infrastructure, with advanced persistent threats targeting encryption capabilities and zero trust implementations.
Health Care / Life Sciences
Commercialized nation-state malware threatens HIPAA compliance through lateral movement attacks and data exfiltration capabilities targeting medical systems and patient data.
Government Administration
Dark web availability of state-sponsored tools significantly increases attack surface for government agencies lacking advanced threat detection and segmentation capabilities.
Telecommunications
Critical infrastructure vulnerability to democratized nation-state exploits targeting encrypted traffic inspection and east-west network security controls like Salt Typhoon incidents.
Sources
- Coruna, DarkSword & Democratizing Nation-State Exploit Kitshttps://www.darkreading.com/endpoint-security/coruna-darksword-democratizing-nation-state-exploit-kitsVerified
- DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alikehttps://www.darkreading.com/threat-intelligence/darksword-iphone-exploit-spies-thieves/Verified
- How RomCom became a multipurpose cyberweaponhttps://www.techradar.com/pro/how-romcom-became-a-multipurpose-cyberweaponVerified
- Microsoft: Nation-state activity blurring with cybercrimehttps://www.techtarget.com/searchsecurity/news/366613660/Microsoft-Nation-state-activity-blurring-with-cybercrimeVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit zero-day vulnerabilities, escalate privileges, move laterally, establish command and control channels, and exfiltrate sensitive data, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit zero-day vulnerabilities may have been constrained, reducing the likelihood of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of elevated access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the device could have been constrained, reducing the reachability to sensitive data.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been restricted, reducing the attacker's ability to manage compromised devices remotely.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data may have been constrained, reducing the attacker's ability to transfer data to external servers.
The financial impact on victims could have been reduced, limiting the overall damage caused by the attack.
Impact at a Glance
Affected Business Functions
- Mobile Device Security
- Data Privacy Compliance
- Incident Response
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive personal and corporate data stored on compromised iOS devices.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement within devices.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to unusual activities.
- • Utilize Inline IPS (Suricata) to detect and prevent exploitation attempts.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure regular updates and patch management to mitigate known vulnerabilities.
