Google Threat Intelligence Group (GTIG) has detailed "Coruna," a sophisticated iOS exploit kit targeting versions 13.0 through 17.2.1. The kit is remarkably comprehensive, containing five full exploit chains and 23 individual exploits, including advanced non-public techniques and mitigation bypasses. Its lifecycle shows a concerning trend of capability proliferation, moving from commercial surveillance vendors to state-backed espionage groups like UNC6353, and finally to financially motivated threat actors like UNC6691.
The infection chain typically begins with a JavaScript framework that performs device fingerprinting before delivering WebKit remote code execution (RCE) exploits and pointer authentication code (PAC) bypasses. Once compromised, the "PlasmaLoader" (PLASMAGRID) stager is deployed, which injects into system daemons to exfiltrate sensitive data. Recent campaigns have specifically targeted cryptocurrency users by monitoring for BIP39 seed phrases and hooking functions in popular wallet applications to steal assets.
Top comments (0)