Find notable cyber news and cases, enriched with sources, timelines, and signals.

Coruna iOS exploit kit used for crypto-theft payloads

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The Coruna exploit kit is being used in active attacks, giving operators 23 iOS exploits and five exploit chains that reach iOS 13.0 through 17.2.1. The kit can deliver payloads that target crypto-wallet apps and steal BIP39 recovery phrases and other sensitive text, turning exploit access into financial theft. Researchers first observed the activity in February 2025 and later found the same framework on fake finance and crypto sites in late 2025. The kit also fingerprints the device and OS version, then stops when Lockdown Mode or private browsing is enabled.

Related Happenings

Apple iOS, macOS, and Safari security updates (multiple vulnerabilities)

Security Patch Release
H score33 First: 30.06.2026 10:15 Last: 30.06.2026 10:15 Sources 1

About this happening: **Apple** released security updates for **iOS**, **macOS**, and **Safari** that fix **over three dozen flaws**, including **four WebKit vulnerabilities**. The update bundle covers...

WebKit memory corruption, out-of-bounds write, and use-after-free flaws (multiple vulnerabilities)

Vulnerability
H score1 First: 30.06.2026 10:15 Last: 30.06.2026 10:15 Sources 1

About this happening: **WebKit** now has four patched vulnerabilities, including **CVE-2026-43707**, **CVE-2026-43716**, **CVE-2026-43745**, and **CVE-2026-43715**, that can be triggered by **malicious...

Apple Passwords app and Safari add Apple Intelligence-powered automatic password repair

Security Tool/Service
H score10 First: 09.06.2026 00:03 Last: 09.06.2026 00:03 Sources 1

About this happening: **Apple Passwords app** and **Safari** are adding an **Apple Intelligence** feature that can automatically repair weak or compromised passwords, reducing password-hygiene risk for...

Apple and Google Messages beta rollout of cross-platform E2EE RCS

Security Tool/Service
H score11 First: 12.05.2026 16:00 Last: 12.05.2026 16:00 Sources 1

About this happening: Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
H score22 First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Timeline

  1. 04.03.2026 21:06 1 articles · 4mo ago

    Apple patches CVE-2024-23222 in iOS 17.3

    Mitigation Patch Update

    Apple addressed CVE-2024-23222 in iOS 17.3 on January 22, 2024 after the WebKit vulnerability enabled remote code execution on iOS 17.2.1 and had already been exploited in zero-day attacks.

    Show sources
  2. 04.03.2026 21:06 2 articles · 4mo ago

    GTIG discloses Coruna iOS exploit-kit activity

    Initial Disclosure

    GTIG described Coruna as a previously undocumented 23-exploit iOS kit used against iPhone users in targeted espionage and financially motivated attacks, first observed in February 2025 with a surveillance vendor customer, later reused in summer 2025 by UNC6353 against compromised Ukrainian websites, and then seen in late 2025 on fake Chinese gambling and crypto websites attributed to UNC6691; Google added identified websites and domains to Safe Browsing and recommended iOS users upgrade or enable Lockdown Mode.

    Show sources