This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold

Source: MacRumors

Google’s Threat Intelligence Group (GTIG) has released a new report about a powerful iOS exploit kit called Coruna. The kit traveled from a surveillance‑vendor customer to a Russian espionage group and then to Chinese cybercriminals, revealing a sophisticated exploit “supply chain.”

Coruna is described as one of the most comprehensive iOS exploit toolkits documented publicly. It targets iPhones running iOS 13.0 through iOS 17.2.1 and contains 23 exploits spanning four years of iOS versions.

Background

• First detection: February 2025, used by a customer of a commercial surveillance vendor.
• Mid‑2025: Appeared in watering‑hole attacks by a suspected Russian espionage group targeting Ukrainian users.
• Late 2025: Deployed by a China‑based, financially motivated actor across a large network of fake financial and crypto websites.

GTIG notes that the transition of the kit between actors suggests an active market for “second‑hand” zero‑day exploits.

Technical Details

• Dynamic targeting: When a user visits an infected site, the kit identifies the iPhone model and iOS version, then selects the appropriate exploit.
• Encryption: The attack code is heavily scrambled with strong encryption, making interception and analysis difficult.
• Custom packaging: The kit uses a proprietary format invented by its developers.
• Documentation: Includes detailed English notes explaining its operation and introduces attack techniques not previously seen publicly.

Capabilities

• Crypto‑wallet focus: Hooks into 18 different cryptocurrency apps to exfiltrate wallet credentials.
• QR‑code decoding: Can decode QR codes from images stored on the device.
• Text analysis: Scans for BIP‑39 word sequences or keywords such as “backup phrase” and “bank account.”
• Apple Notes scanning: Looks for typical seed phrases within Apple Notes.

Lockdown Mode Effectiveness

If the user has Apple’s Lockdown Mode enabled, the kit aborts the attack entirely—it does not even attempt an exploit. This demonstrates that Lockdown Mode can effectively block even highly sophisticated exploit kits.

Impact and Recommendations

• Devices running iOS 17.2.1 or earlier remain potentially vulnerable.
• The kit does not work against newer iOS versions, so updating to the latest iOS release is strongly advised.
• Enabling Lockdown Mode provides an additional layer of protection against such attacks. For instructions on enabling it, see Apple’s guide: Enable Lockdown Mode on iOS & Mac.