Google researchers have uncovered how an advanced iphone exploit kit, used in multiple campaigns since 2025, has become a serious weapon for crypto-focused attackers.
Summary
Google exposes Coruna framework and its iOS capabilities
According to a new report from Google‘s Threat Intelligence Group, a powerful exploit framework called Coruna is targeting iPhone users with a sophisticated chain of vulnerabilities. The toolkit contains five full iOS exploit chains and 23 distinct vulnerabilities that can compromise devices running iOS 13 through iOS 17.2.1.
The iphone exploit kit enables attackers to execute malicious code via web content by abusing flaws in Apple‘s WebKit browser engine and other core components. Moreover, once a victim opens a compromised website, the framework immediately fingerprints the device, determining the exact iPhone model and installed software version before selecting the most effective exploit chain.
Researchers explain that after gaining initial access, the malware can deliver follow-on payloads to harvest highly sensitive data. This includes cryptocurrency wallet details, financial information and other private records that can be monetized or abused in further attacks.
From fake crypto sites to large-scale data harvesting
In several observed campaigns, the Coruna framework was deployed through fake gambling and cryptocurrency websites designed specifically to lure iPhone users. However, attackers also experimented with other thematically tailored landing pages to expand their potential victim base while still focusing heavily on digital asset holders.
The malicious payload is capable of scanning images and files stored on the device for specific keywords such as “backup phrase” or “bank account”. That said, this capability allows threat actors to automatically identify wallet recovery phrases and other financial data, potentially granting them direct access to victims’ crypto wallets and bank accounts.
Once recovery phrases or other secrets are exfiltrated, criminals can move funds off the compromised wallets with little chance of detection by the device owner until it is too late. Moreover, such harvested data can be resold to other cybercrime groups, multiplying the potential impact.
Evolution from surveillance to nation-state and cybercrime use
Google‘s investigation indicates that the Coruna toolset did not originate in purely criminal circles. It first surfaced in 2025 in targeted surveillance operations, where operators appeared focused on monitoring specific individuals rather than stealing funds at scale.
Over time, however, the iphone exploit kit migrated into more aggressive and geopolitically sensitive operations. It was later observed in watering-hole attacks against Ukrainian users, which researchers attribute to a suspected Russian espionage group. In these campaigns, compromised websites frequented by Ukrainian targets were seeded with Coruna-driven exploits.
Eventually, the same exploit kit was adopted by financially motivated hackers linked to China, marking a shift from classic espionage to overt profit-driven cybercrime. Moreover, this progression illustrates how tools built for intelligence gathering can quickly spill over into broader criminal ecosystems once they leak or are shared.
A case study in mobile spyware migration and crypto risk
Security analysts argue that Coruna demonstrates a wider trend in the cyber threat landscape. Sophisticated, spyware-grade exploit frameworks are increasingly moving from government or commercial surveillance markets into mainstream cybercrime. This mobile spyware migration blurs the line between nation-state tools and those used by ordinary criminal syndicates.
Because modern smartphones often store digital asset wallets, authentication apps and personal documentation, such tools directly enable crypto wallet theft at scale. Moreover, the convergence of mobile security risks and cryptocurrency targets means that any unpatched iOS device holding digital assets becomes an attractive prize.
The presence of multiple ios exploit chains in a single framework also raises concerns about reusability. Once one actor acquires Coruna, they can repurpose it for new campaigns, adjusting only the lure websites or payloads while leaving the underlying exploitation logic largely intact.
Mitigation steps and the importance of iOS updates
Researchers emphasize that keeping devices on the most recent iOS releases remains one of the most effective defenses. According to Google, the Coruna framework does not work against the latest software versions, which received patches for the exploited vulnerabilities. However, many users delay updates, leaving older iPhones exposed for extended periods.
Experts recommend that iPhone owners install security patches as soon as they become available, avoid entering recovery phrases or bank details into note apps or image files, and remain cautious when visiting unfamiliar gambling or crypto-related sites. That said, organizations with high-risk profiles should also consider mobile threat detection tools and stricter browsing policies on corporate devices.
From a broader perspective, the WebKit-focused nature of the Coruna attack chains underscores how a single webkit browser exploit can open the door to full-device compromise. Moreover, it reinforces the need for rapid, coordinated patch deployment from vendors and prompt adoption by end users.
The growing intersection of mobile security and digital assets
The Coruna case highlights how deeply intertwined mobile operating system security and digital asset protection have become. With more people relying on smartphones to manage crypto holdings, messaging and banking, any advanced iphone exploit kit now has direct implications for the safety of funds.
In conclusion, the campaign history traced by Google shows how a single toolkit can move from targeted surveillance in 2025 to nation-state-linked watering-hole attacks and, finally, profit-driven theft. Moreover, it signals that defenders must assume similar frameworks are already circulating and prioritize rapid updates, secure storage of wallet data and continuous monitoring of mobile threats.
