The discovery started in February 2025 when Google’s Threat Intelligence Group (GTIG) captured fragments of an iOS exploit chain used by a customer of an unnamed commercial surveillance company.

Then someone made a mistake. One of the threat actors deployed the debug version of the kit — with all internal code names, docstrings, and comments left in the clear. Written in native English.

That accident gave Google the full blueprint: five exploit chains, 23 individual exploits, internal naming conventions, and enough metadata to track the kit across three completely different threat actor groups over the next 10 months.

The researchers named it Coruna — the kit’s own internal label.

Coruna covers iOS 13.0 (September 2019) through iOS 17.2.1 (December 2023). Here’s what Google found:

That’s 12 of the named ones — the other 11 are supporting exploits (sandbox escapes, privilege escalation, persistence) chained together to build five complete attack paths.

The Photon and Gallium exploits are directly linked to Operation Triangulation — the 2023 campaign Kaspersky discovered and attributed to U.S. intelligence. So parts of this kit have roots in state-level offensive capabilities.

This is the part that matters. The kit didn’t stay in one lane.

Phase 1 — February 2025: Commercial Surveillance
A customer of an unnamed spyware vendor deployed Coruna for targeted surveillance. Standard “lawful intercept” use case. Dozens of targets at most.

Phase 2 — July 2025: Russian Espionage (UNC6353)
The same kit appeared on cdn.uacounter[.]com, loaded via hidden iframes on compromised Ukrainian websites — industrial, retail, and e-commerce sectors. GTIG assessed with moderate-to-high confidence this was a Russian government-aligned group. The tool had moved from commerce to statecraft.

Phase 3 — December 2025: Chinese Crypto Crime (UNC6691)
A Chinese-speaking financially motivated group acquired the kit and dropped the pretense of targeted surveillance entirely. They set up fake Chinese finance websites as watering holes — no geolocation restrictions. Anyone who visited got hit. The goal was no longer intelligence. It was wallet-draining at scale.

42,000 confirmed compromised devices. For iOS, where infections are typically measured in the dozens, that’s a staggering number.

At the end of Coruna’s exploit chains sits Plasmagrid, a payload that injects itself into powerd — a daemon running as root on iOS.

What it does:

• Hooks into 18 cryptocurrency wallet apps: MetaMask, Phantom, Exodus, Uniswap, Base, Bitget Wallet, and more
• Scans the device’s photo library for QR codes (wallet addresses, 2FA codes)
• Parses Apple Notes for keywords: “backup phrase,” “seed phrase,” “bank account,” “recovery”
• Exfiltrates credentials to C2 infrastructure

But here’s the thing nobody mentions: Plasmagrid’s domain generation algorithm is seeded with the string ‘lazarus’ — generating 15-character .xyz domains for fallback C2. Whether that’s a false flag or a genuine link to North Korea’s Lazarus Group, Google didn’t say. But the choice of seed word isn’t subtle.

The data shows two defenses that work right now:

1. Update to iOS 17.3 or later. Coruna is completely inert on iOS 17.3+. If you’ve updated your phone in the last year, you’re fine. Current release is iOS 26.

2. Turn on Lockdown Mode. Google confirmed that Coruna’s PlasmaLoader automatically self-terminates when it detects Lockdown Mode is active. This is the single most effective real-time defense — the kit doesn’t even try.

Private browsing also blocks the initial WebKit exploit delivery. The kit checks and bails.

CISA added CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 to the KEV catalog. Federal agencies must patch by March 26, 2026.

iOS exploit kits at this scale are rare. Here’s context:

The usual pattern: a surveillance vendor sells to a government, the government uses it on a few targets, eventually it gets burned and patched. Coruna broke that pattern by going from targeted intelligence to mass-market crypto theft in under a year. The supply chain of offensive capabilities is leaking faster than it used to.

Most iPhone users don’t know Lockdown Mode exists, and the ones who do think it’s only for journalists and activists. Coruna proves that’s wrong — it’s a defense that makes an entire exploit kit give up automatically.

Build a service that audits device configurations for high-risk users: crypto holders, executives, anyone with non-trivial wallet balances. Charge per device or monthly for ongoing monitoring.

Example: A freelance security consultant in Portugal started offering “iPhone hardening” sessions to crypto fund managers after the Pegasus headlines. 45 minutes via Zoom, $200/session. After Coruna, demand tripled — now booking 15 sessions a week through LinkedIn outreach alone.

Timeline: First client within 2 weeks of setup. Scales with every new iOS exploit headline.

UNC6691 compromised ordinary websites — retail, e-commerce, industrial — and injected hidden iframes. Most small businesses have zero visibility into whether their site is serving exploit kit payloads to visitors.

Set up a monitoring tool (use open-source scanners + custom scripts) that checks client websites for injected iframes, suspicious JavaScript, and known C2 domains. Charge monthly per domain.

Example: A two-person infosec team in Romania built a Slack-integrated site scanner after the Magecart wave. They monitor 340 e-commerce sites at $30/month each. When a client’s checkout page got injected, they caught it in 11 minutes. The client’s alternative was a $180K PCI fine.

Timeline: MVP in a weekend using existing tools. Revenue starts with 10+ clients.

Plasmagrid scans Notes for “seed phrase” and photos for QR codes. That means the most common way people store recovery phrases — screenshots and notes apps — is now a confirmed attack vector at scale.

Create a short training course (video or live) teaching crypto holders operational security: hardware wallets, offline seed storage, compartmentalized devices. Sell direct or license to crypto exchanges as onboarding material.

Example: A cybersecurity educator in Nigeria created a 90-minute “Crypto OpSec” workshop after the LastPass breach exposed wallet keys. Sold 1,200 seats at $15 each through Twitter/X promotion. Updated the material after Coruna with iOS-specific sections — second cohort sold out in 3 days.

Timeline: Content creation in one week. First sales from existing audience or crypto communities.

42,000 devices got hit because they were running iOS versions up to two years old. Most companies have no visibility into what iOS versions their employees are running — MDM solutions track it, but nobody builds alerts around exploit kit coverage maps.

Build a dashboard that maps your org’s device fleet against active exploit kits. Overlay CVE data from CISA KEV with MDM inventory. Flag devices running vulnerable versions. Sell to IT departments as a SaaS add-on.

Example: An MDM admin in Germany built an internal Grafana dashboard mapping device versions against CISA KEV CVEs. His CISO loved it. He packaged it as a product, got 8 paying customers from a single LinkedIn post, and charges €500/month per org.

Timeline: Prototype in a few days if you know MDM APIs. First customers from security-focused communities.