Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Coruna iOS exploit kit used for crypto-theft payloads

Malware Activity
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The Coruna exploit kit is being used in active attacks, giving operators 23 iOS exploits and five exploit chains that reach iOS 13.0 through 17.2.1. The kit can deliver payloads that target crypto-wallet apps and steal BIP39 recovery phrases and other sensitive text, turning exploit access into financial theft. Researchers first observed the activity in February 2025 and later found the same framework on fake finance and crypto sites in late 2025. The kit also fingerprints the device and OS version, then stops when Lockdown Mode or private browsing is enabled.

Related Happenings

Apple and Google Messages beta rollout of cross-platform E2EE RCS

Security Tool/Service
First: 12.05.2026 16:00 Last: 12.05.2026 16:00 Sources 1

About this happening: Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...

Open Happening

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Open Happening

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

Open Happening

Malicious actor campaign expands across multiple victims

Campaign
First: 14.04.2026 19:37 Last: 14.04.2026 19:37 Sources 1

About this happening: A **fake Ledger Live app** in **Apple’s App Store** drained about **$9.5 million** in cryptocurrency from **50 victims** in a few days, indicating a broader **wallet-theft campaig...

Open Happening

Apple iOS 18.7.7 security update expansion for DarkSword

Security Patch Release
First: 02.04.2026 00:50 Last: 02.04.2026 00:50 Sources 1

About this happening: Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...

Open Happening

Timeline

  1. 04.03.2026 21:06 1 articles · 2mo ago

    Apple patches CVE-2024-23222 in iOS 17.3

    Mitigation Patch Update

    Apple addressed CVE-2024-23222 in iOS 17.3 on January 22, 2024 after the WebKit vulnerability enabled remote code execution on iOS 17.2.1 and had already been exploited in zero-day attacks.

    Show sources
    Open in new tab
  2. 04.03.2026 21:06 2 articles · 2mo ago

    GTIG discloses Coruna iOS exploit-kit activity

    Initial Disclosure

    GTIG described Coruna as a previously undocumented 23-exploit iOS kit used against iPhone users in targeted espionage and financially motivated attacks, first observed in February 2025 with a surveillance vendor customer, later reused in summer 2025 by UNC6353 against compromised Ukrainian websites, and then seen in late 2025 on fake Chinese gambling and crypto websites attributed to UNC6691; Google added identified websites and domains to Safe Browsing and recommended iOS users upgrade or enable Lockdown Mode.

    Show sources
    Open in new tab