This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold

Google's Threat Intelligence Group (GTIG) has a new report retired astir a almighty iOS exploit kit called "Coruna," which traveled from a surveillance vendor's lawsuit to a Russian espionage radical to Chinese cybercriminals, revealing a blase exploit "supply chain" successful the process.


Described arsenic 1 of the astir broad iOS exploit toolkits to person been documented publicly, Coruna targets iPhones moving iOS 13.0 done iOS 17.2.1, containing 23 exploits crossed 4 years of iOS versions.

According to GTIG, it was archetypal spotted successful February 2025, erstwhile it was utilized by a lawsuit of a commercialized surveillance vendor. By summertime 2025, the aforesaid model appeared successful watering spread attacks (where an attacker compromises websites that their intended targets are apt to visit) by a suspected Russian espionage radical targeting Ukrainian users.

Then, successful precocious successful 2025, a China-based, financially motivated histrion deployed it crossed a ample web of fake fiscal and crypto websites. GTIG said it was unclear however the exploit kit got passed from histrion to actor, but that it suggests an progressive marketplace for "second hand" zero-day exploits.

As for the kit's contents, it's described arsenic highly well-engineered. When idiosyncratic visits an infected website, it figures retired what benignant of iPhone they're utilizing and what bundle mentation it's running, past picks the close onslaught for that circumstantial device. If the idiosyncratic has Apple's Lockdown Mode turned connected though, the kit bails – it doesn't adjacent try.

The onslaught codification is scrambled with beardown encryption, truthful it's hard for information researchers to intercept and analyze, and it's packaged successful a customized format that the developers seemingly invented themselves. The codification besides includes elaborate notes written successful English explaining however it each works, and uses onslaught techniques that haven't been seen publically before, according to GTIG's analysis.

The kit targets cryptocurrency wallets and fiscal data, and is susceptible of hooking into 18 antithetic crypto apps to exfiltrate wallet credentials. The payload tin decode QR codes from images connected disk, and it besides has a module to analyse blobs of substance to look for BIP39 connection sequences oregon precise circumstantial keywords similar "backup phrase" oregon "bank account." It adjacent scans Apple Notes for emblematic effect phrases.

Anyone inactive connected iOS 17.2.1 oregon earlier is perchance susceptible to the exploit kit, which doesn't enactment against newer iOS versions, truthful marque definite to update if you can. Otherwise, the takeaway seems to beryllium that Apple's Lockdown Mode is doing its occupation to ward disconnected specified a almighty exploit kit, and that tin lone beryllium bully quality for those who enable it.
This article, "This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold" archetypal appeared connected MacRumors.com

Discuss this article successful our forums