From Spyware to Scams: The “Coruna” iOS Arsenal Exploiting 23 Vulnerabilities to Plunder iPhones

Google specialists have unearthed a potent suite of iPhone vulnerabilities that has covertly changed hands among disparate factions of threat actors over several years. This sophisticated instrument, dubbed Coruna, was initially deployed in targeted surveillance operations, subsequently weaponized in cyberespionage campaigns against users in Ukraine, and ultimately acquired by Chinese financial syndicates.

The Google Threat Intelligence Group meticulously analyzed Coruna, uncovering a formidable arsenal comprising five complete exploit chains and 23 distinct iOS vulnerabilities. This apparatus targets iPhones operating on firmware ranging from iOS 13, released in September 2019, to iOS 17.2.1, promulgated in December 2023. Notably, it incorporates previously undocumented evasion techniques, enabling it to seamlessly circumvent iOS’s innate security architectures.

The lineage of Coruna is notably unorthodox, tracing a path through three distinct operational phases:

• Phase I: Commercial Surveillance (February 2025): Analysts intercepted a fragment of an attack chain wielded by a client of a commercial surveillance vendor. The malicious payload operated through a labyrinthine JavaScript framework, shrouded in profound obfuscation. The script initially harvested device telemetry—verifying the authenticity of the hardware, identifying the precise iPhone model, and ascertaining the iOS iteration. Subsequently, the command server dispatched a tailored WebKit exploit, coupled with a mechanism to bypass the Pointer Authentication Code (PAC) defenses. One such exploit weaponized CVE-2024-23222, a critical flaw that Apple formally patched in January 2024 with the deployment of iOS 17.3.

• Phase II: Cyberespionage (Summer 2025): Merely months later, this identical framework materialized within a disparate campaign. Threat actors injected the code into dozens of compromised Ukrainian websites, encompassing e-commerce storefronts, service providers, and online marketplaces. These web pages imperceptibly loaded a concealed iframe, strategically delivering exploits exclusively to targeted iPhone users residing within specific geographic enclaves. This orchestrated campaign was attributed to the UNC6353 syndicate.

• Phase III: Financial Racketeering (Late 2025): By the twilight of 2025, the Coruna apparatus resurfaced on the digital frontier, manifesting within an entirely novel operational theater. This iteration saw the malicious code disseminated across hundreds of fraudulent Chinese websites purporting to offer financial and cryptocurrency services. These deceptive portals cunningly persuaded visitors to access the domains specifically via an iPhone, seamlessly embedding a covert iframe to trigger the familiar cascade of exploits.

The architecture of this arsenal is profoundly intricate. The script autonomously terminates its execution if the targeted device has activated the fortified Lockdown Mode, or should the user navigate the site via private browsing. The orchestration of component downloads relies upon a specialized cookie beacon and the derivation of addresses via SHA-256 cryptographic hashes.

Following the triumphant execution of the WebKit vulnerability, a binary loader is awakened, meticulously selecting the optimal attack chain tailored to the specific hardware. The ultimate payload is sequestered in an encrypted state, ingeniously masquerading as benign JavaScript files.

Upon usurping absolute dominion over the device, the PlasmaLoader mechanism is initiated. This component insidiously injects itself into the powerd system process, operating with omnipotent administrative privileges.

Subsequent telemetry definitively revealed that the ultimate objective of these later incursions was not mere surveillance, but rather the wholesale plunder of financial assets:

• Data Harvesting: The malicious module obsessively scours the device for images containing QR codes and meticulously parses textual documents. It relentlessly hunts for BIP39 cryptocurrency wallet recovery phrases, or telltale keywords such as “backup phrase” and “bank account.” Should such vital intelligence be unearthed within Apple Notes, the venomous code instantly exfiltrates this data to the command-and-control server.

• Application Interception: Furthermore, the apparatus is capable of downloading ancillary modules engineered to intercept the operations of ubiquitous cryptocurrency applications, notably including MetaMask, Trust Wallet, Exodus, and Phantom. The operational logs generated by these modules are inscribed in Chinese, providing a compelling circumstantial indicator of the operators’ origins.

According to Google’s observations, the Coruna saga exemplifies how sophisticated intrusion instruments are gradually disseminated among disparate threat syndicates. The evolutionary trajectory of this vulnerability suite strongly hints at the existence of a thriving subterranean bazaar where exorbitant zero-day exploits are relentlessly brokered and resold.

Fortunately, the Coruna suite is rendered impotent against the latest iterations of iOS. Proprietors of iPhones are vehemently urged to install the most current system updates available. In scenarios where updating proves unfeasible, security architects strongly advise the activation of Lockdown Mode, a formidable defensive posture that severely constrains the viability of such sophisticated attacks.