Inside Coruna: the exploit kit chaining 23 iOS vulnerabilities to hack older iPhones

Most iPhone users assume their devices are difficult to hack. Apple’s security model has historically made large-scale compromises rare. However, researchers recently uncovered a toolkit that shows how quickly that protection can erode once advanced exploits circulate.

Google’s Threat Intelligence Group (GTIG) has identified a sophisticated exploit framework called Coruna that targeted iPhones running iOS 13 through iOS 17.2. 1. The toolkit includes 23 vulnerabilities combined into five separate exploit chains, giving attackers multiple paths to compromise devices.

In many cases, the attack begins with a malicious webpage. When a victim visits the page, hidden scripts analyze the device and determine the iPhone model and iOS version. The site then delivers the appropriate exploit chain tailored to that specific device.

These chains rely on several techniques working together, including:

• WebKit remote code execution, triggered through Safari

• Pointer Authentication Code (PAC) bypasses, which defeat newer iOS protections

• Sandbox escapes and privilege escalation, used to gain deeper system access

• Page Protection Layer (PPL) bypasses, targeting kernel-level defenses

When combined, these exploits allow attackers to move from a simple webpage visit to deep system control.

Tracking the exploit kit across three campaigns

Researchers observed Coruna moving through three different threat environments during 2025, offering a rare look at how advanced hacking tools spread.

• Early 2025: Parts of the exploit chain appeared in activity linked to a commercial surveillance vendor working for a government customer.

• Mid-2025: The same framework surfaced in a campaign targeting Ukrainian websites tied to a Russian espionage group.

• Late 2025: The full toolkit appeared in operations run by financially motivated attackers hosting fake cryptocurrency and investment websites.

The shift from intelligence activity to criminal operations highlights a growing market for reused exploits. Once developed, these tools can circulate among multiple actors who adapt them for new goals.

Cryptocurrency theft as the final objective

In the financially motivated campaigns, the final payload was a component called PlasmaLoader. The malware embeds itself inside a privileged iOS process, giving attackers persistent access to the device. Researchers found the malware targeting 18 cryptocurrency wallet applications, attempting to intercept sensitive information from wallet software.

The code also scans Apple Notes for BIP39 recovery phrases and other financial keywords. These recovery phrases act as master keys for cryptocurrency wallets. If attackers obtain them, they can access and transfer the funds stored in those accounts.

Why software updates remain critical

The Coruna toolkit worked against iPhones running software released between 2019 and late 2023, covering a large installed base of devices that had not been updated. However, researchers say the exploit chains do not work on the latest version of iOS.

Security teams recommend several precautions:

• Install the latest iOS updates immediately.

• Enable Lockdown Mode on devices that may face higher risk

• Avoid visiting unknown financial or cryptocurrency websites on mobile browsers.

• Monitor network activity for suspicious connections to unfamiliar domains

For security analysts, Coruna reinforces an old lesson in cybersecurity. Once advanced exploit frameworks escape their original environment, they tend to circulate widely, and eventually someone finds a way to turn them into profit.

More For You

Kali Linux just made penetration testing conversational with Claude AI

Deepfakes and automated malware are redefining identity risk

Google Chrome Emergency Update Patches Three High Severity Flaws

AI Security and Guardrails Take Focus at AI Safety Connect