Coruna iPhone exploitation and Apple response

The **Coruna** iOS exploit campaign spread through **watering-hole** and **fake finance/crypto** lures, extending reach from **iPhone users** to **crypto users**. **UNC6353** used the framework against compromised Ukrainian websites in **summer 2025**, and **UNC6691** later tied it to fake gambling and crypto sites in **late 2025**. The shift matters because the same exploit kit was reused across **espionage** and **financial theft** operations, broadening the risk to ordinary mobile users. The kit also selected exploit chains by device fingerprint and could stop when **Lockdown Mode** or private browsing was enabled.

A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyond its original precision-espionage role. The operation steers users who visit compromised or lure websites through a browser-fingerprinting exploit chain that can select the right payload and deliver **PlasmaLoader (aka PLASMAGRID)**. That broadens risk for **unpatched Apple iPhone** users and shows how a once-targeted framework can be repurposed for wider abuse.

The **Coruna** exploit kit marks the **first observed mass exploitation against iOS devices**, shifting risk from highly targeted spyware to **broad deployment** against **iPhone users**. It combines a **device-fingerprinting framework** with multiple iOS exploit chains to choose the right **WebKit RCE** path for each target. The development matters because it shows advanced mobile exploitation being reused at scale rather than confined to isolated surveillance operations.

**Apple** backported **Coruna-linked WebKit fixes** to **older iOS and iPadOS devices**, reducing exposure on legacy hardware that cannot move to the latest release. The update extends protection for **CVE-2023-43010** and related flaws to iPhones and iPads left behind by newer versions. It matters because the flaw was used in an exploit kit that could process **malicious web content** and trigger **memory corruption**.

Older **iPhone and iPad** devices received the **CVE-2023-43010** fix, extending protection against a **WebKit memory-corruption flaw** used in the **Coruna exploit kit**. The bug could be triggered by **maliciously crafted web content**, creating risk for browser-driven code execution on affected systems. The backport covers **iOS 15.8.7**, **iPadOS 15.8.7**, **iOS 16.7.15**, and **iPadOS 16.7.15** for devices that cannot move to newer releases. Apple said the issue had already been fixed in **iOS 17.2** on **December 11th, 2023**.