Executive Summary
In 2025, the Coruna iOS exploit kit emerged as a sophisticated tool targeting iPhone users across multiple campaigns. Initially identified in February 2025, it was deployed by a surveillance vendor's customer. By summer, the same exploit kit was utilized by the Russian espionage group UNC6353 in watering hole attacks on Ukrainian websites. Later in the year, the financially motivated Chinese threat actor UNC6691 employed Coruna to compromise fake Chinese gambling and cryptocurrency sites. The kit comprises 23 exploits forming five full exploit chains, affecting iOS versions 13.0 through 17.2.1. These exploits enable remote code execution, sandbox escapes, and kernel privilege escalation, leading to unauthorized access and data exfiltration. (bleepingcomputer.com)
The proliferation of Coruna underscores a concerning trend: advanced exploit kits, possibly originating from state-sponsored entities, are increasingly accessible to a broader range of threat actors. This shift highlights the urgent need for organizations to stay vigilant, update their systems promptly, and implement robust security measures to mitigate the risks posed by such sophisticated tools. (wired.com)
Why This Matters Now
The Coruna exploit kit's transition from state-sponsored use to widespread criminal deployment exemplifies the rapid dissemination of advanced cyber tools. This evolution poses an immediate threat to organizations and individuals, emphasizing the critical importance of timely software updates and comprehensive security strategies to defend against such sophisticated attacks.
Attack Path Analysis
The Coruna iOS exploit kit was initially deployed via malicious websites, leading to device compromise through sophisticated exploit chains. Attackers escalated privileges by exploiting kernel vulnerabilities, enabling full control over the device. The malware then moved laterally within the device, accessing various applications and data stores. It established command and control channels to receive further instructions and modules. Sensitive data, including cryptocurrency wallet information, was exfiltrated to external servers. The impact resulted in financial theft and potential exposure of personal information.
Kill Chain Progression
Initial Compromise
Description
Users visiting malicious websites were targeted with the Coruna exploit kit, which fingerprinted devices and delivered tailored exploit chains to compromise iOS devices.
Related CVEs
CVE-2024-23222
CVSS 8.8A WebKit vulnerability that enables remote code execution on iOS 17.2.1.
Affected Products:
Apple iOS – 17.2.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Drive-by Compromise
Exploitation for Client Execution
Exploitation for Privilege Escalation
Application Layer Protocol
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure to iOS cryptocurrency theft attacks targeting wallet apps like MetaMask, with sophisticated exploits bypassing encryption and segmentation controls for financial data exfiltration.
Capital Markets/Hedge Fund/Private Equity
High-risk spyware-grade mobile exploits threaten institutional cryptocurrency holdings and trading platforms, requiring enhanced egress security and zero trust network segmentation controls.
Computer/Network Security
Professional security organizations face sophisticated iOS exploit kits using non-public techniques, demanding advanced threat detection capabilities and multicloud visibility for comprehensive mobile security.
Government Administration
Nation-state grade surveillance tools migrated to criminal operations pose severe risks to government iOS devices, requiring immediate lockdown mode activation and compliance controls.
Sources
- Spyware-grade Coruna iOS exploit kit now used in crypto theft attackshttps://www.bleepingcomputer.com/news/security/spyware-grade-coruna-ios-exploit-kit-now-used-in-crypto-theft-attacks/Verified
- Coruna: Powerful iOS Exploit Kithttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kitVerified
- iVerify: Coruna - Inside the Nation-State Grade iOS Exploit Kit We've Been Trackinghttps://iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-trackingVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the malware's ability to move laterally, establish command channels, and exfiltrate sensitive data, thereby reducing the attack's overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily secures cloud workloads, its principles could inform strategies to limit initial compromise vectors in cloud-hosted applications.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could limit the malware's ability to exploit kernel vulnerabilities by restricting access to critical system components.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could limit the malware's ability to move laterally within the device by monitoring and controlling internal communications.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could limit the malware's ability to establish command and control channels by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could limit the malware's ability to exfiltrate sensitive data by enforcing strict outbound traffic policies.
Implementing Aviatrix Zero Trust CNSF principles could limit the attack's impact by reducing the malware's ability to access and exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Cryptocurrency Wallet Management
- Financial Transactions
- User Data Security
Estimated downtime: 7 days
Estimated loss: $500,000
Wallet recovery phrases (BIP39), sensitive text strings such as 'backup phrase' and 'bank account', and data stored in Apple Memos.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities in real-time.
- • Deploy Cloud Firewall (ACF) to enforce egress filtering and prevent unauthorized outbound connections.
- • Utilize Zero Trust Segmentation to limit lateral movement within the network by enforcing least privilege access.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Ensure Multicloud Visibility & Control to monitor and manage security policies across diverse cloud environments.
