Google Threat Intelligence Group (GTIG) has uncovered "Coruna," a sophisticated iOS exploit kit featuring 23 exploits and five full chains targeting devices from iOS 13.0 to 17.2.1. The kit has seen a unique evolution, transitioning from use by commercial surveillance vendors to state-backed Russian espionage groups (UNC6353) and finally to financially motivated Chinese threat actors (UNC6691). This proliferation highlights a thriving secondary market for advanced zero-day vulnerabilities and exploitation techniques.
The exploit kit employs advanced JavaScript obfuscation and multi-stage delivery to bypass security mitigations like Pointer Authentication Code (PAC). Once the initial WebKit RCE is achieved, a payload called PlasmaLoader (PLASMAGRID) is injected into system processes to exfiltrate sensitive data. Recent campaigns have specifically focused on stealing cryptocurrency wallet information through function hooking and scanning Apple Memos for recovery phrases.
Top comments (0)