Google’s threat intelligence researchers have identified a sophisticated exploit kit targeting iPhones that was first used by a commercial surveillance vendor’s customer before being repurposed by a suspected Russian espionage group and then by Chinese cybercriminals, highlighting what researchers describe as an active secondary market for high-end zero-day exploits.
“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google Threat Intelligence Group (GTIG) wrote in a blog post. “Multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”
The exploit kit, named Coruna by its developers, contains five full iOS exploit chains built from a total of 23 individual exploits targeting iPhones running iOS 13.0 through iOS 17.2.1 – a range spanning devices released from September 2019 through December 2023,
Mobile security firm iVerify independently discovered and reverse-engineered the same toolkit, and published corroborating research the same day. It described the toolkit, which it calls CryptoWaters, as the first observed mass exploitation of iOS devices by a financially motivated criminal group.
Three threat actors, one toolkit
GTIG first detected elements of Coruna in February 2025, when researchers captured parts of an iOS exploit chain used by a customer of an unnamed commercial surveillance company. The framework fingerprinted target devices, identified their iPhone model and iOS version, and delivered the appropriate WebKit remote code execution exploit silently, the blog post said.
The same framework resurfaced in summer 2025, this time repurposed by UNC6353, a suspected Russian espionage group, which embedded it as hidden iframes on compromised Ukrainian websites spanning industrial equipment, retail, and ecommerce sectors, according to Google. It said it worked with Ukraine’s CERT-UA to clean up all compromised websites.
By year end the same kit had appeared across a large network of fake Chinese financial websites operated by UNC6691, a financially motivated, China-based threat actor. Unlike the earlier targeted deployments, iVerify confirmed the exploit chains contained no geolocation filtering, means any vulnerable iPhone visiting those pages was at risk.
VIPs aren’t the only ones at risk from this malware, said Everest Group senior analyst Gautam Goel. “GTIG’s writeup is notable precisely because it shows surveillance-grade exploit chains moving from targeted use to broad-scale criminal campaigns.”
A payload built to drain cryptocurrency wallets
In the case of UNC6691, GTIG said, that broad-scale criminal campaign had a specific financial objective.
The payload at the end of Coruna’s exploit chain, which GTIG tracks as Plasmagrid, is not conventional surveillance software. It injects itself into powerd, a daemon running as root on iOS, and is built specifically to steal cryptocurrency, according to GTIG.
Plasmagrid hooks into 18 cryptocurrency wallet applications, including MetaMask, Phantom, Exodus, and Uniswap, to exfiltrate credentials. It scans images for QR codes and parses Apple Notes for seed phrases and keywords such as “backup phrase” and “bank account.” GTIG said code comments within the implant are written in Chinese, and some appear to have been generated by a large language model. iVerify added that its independent analysis found additional modules targeting WhatsApp beyond those identified by GTIG, and noted the kit appeared to be in active development.
What Coruna reveals about the spyware market
The case has renewed scrutiny of the commercial surveillance industry’s assurances that its tools remain under controlled, targeted use. Sanchit Vir Gogia, chief analyst at Greyhound Research, said the pattern reveals a structural problem. “The ecosystem includes exploit acquisition programs, vulnerability brokers and secondary markets that facilitate the circulation of offensive capabilities,” Gogia said. “Regulating a single category of vendor does little to address the underlying supply chain.”
Goel said the timeline makes the policy failure concrete. “Even if the first buyer claims lawful targeted use, the capability itself can proliferate into criminal ecosystems within months,” he said. Google acknowledged the broader policy challenge, noting its participation in the Pall Mall Process, an international initiative focused on limiting the misuse of commercial cyber intrusion capabilities.
Enterprise mobile security under scrutiny
The Coruna kit is not effective against the latest version of iOS. GTIG urged all iPhone users to update their devices immediately, and recommended enabling Lockdown Mode where updates are not possible, noting the kit is engineered to abort on devices running in that mode. Google has added all identified domains to Safe Browsing. Indicators of compromise are available in a free GTIG collection on VirusTotal.
Analysts said the remediation advice, while necessary, exposes a deeper architectural gap. “Most enterprise mobile security programs were built around device management rather than device integrity,” Gogia said. “They were never designed to detect exploitation that occurs within the operating system itself.”
Goel put it more starkly. “Coruna sits under MDM and app-layer controls,” he said. “If an attacker can reliably get WebKit code execution and break out toward kernel-level access, the device can lie about its own state, and many policy controls become irrelevant in practice.”
No Responses