Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC6353 and UNC6691 Coruna iOS exploit campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 2 articles

Summary

Hide ▲

The Coruna iOS exploit campaign spread through watering-hole and fake finance/crypto lures, extending reach from iPhone users to crypto users. UNC6353 used the framework against compromised Ukrainian websites in summer 2025, and UNC6691 later tied it to fake gambling and crypto sites in late 2025. The shift matters because the same exploit kit was reused across espionage and financial theft operations, broadening the risk to ordinary mobile users. The kit also selected exploit chains by device fingerprint and could stop when Lockdown Mode or private browsing was enabled.

Cases

Related Happenings

WebKit memory corruption, out-of-bounds write, and use-after-free flaws (multiple vulnerabilities)

Vulnerability
H score1 First: 30.06.2026 10:15 Last: 30.06.2026 10:15 Sources 1

About this happening: **WebKit** now has four patched vulnerabilities, including **CVE-2026-43707**, **CVE-2026-43716**, **CVE-2026-43745**, and **CVE-2026-43715**, that can be triggered by **malicious...

UNC6508 China-linked REDCap espionage campaign

Campaign
H score39 First: 15.06.2026 17:00 Last: 15.06.2026 17:00 Sources 1

About this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
H score8 First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

Malicious actor campaign expands across multiple victims

Campaign
H score14 First: 14.04.2026 19:37 Last: 14.04.2026 19:37 Sources 1

About this happening: A **fake Ledger Live app** in **Apple’s App Store** drained about **$9.5 million** in cryptocurrency from **50 victims** in a few days, indicating a broader **wallet-theft campaig...

Operation Triangulation updated iPhone espionage campaign

Campaign
H score41 First: 26.03.2026 15:10 Last: 26.03.2026 15:10 Sources 1

About this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...

Timeline

  1. 04.03.2026 21:06 2 articles · 4mo ago

    Coruna iOS exploit kit linked to espionage and crypto theft

    Initial Disclosure

    Coruna is a previously undocumented iOS exploit kit with 23 exploits and five full exploit chains that affected iOS 13.0 through 17.2.1 and included CVE-2024-23222. GTIG first observed related activity in February 2025, later saw UNC6353 use the same framework in summer 2025 watering-hole attacks against iPhone users visiting compromised Ukrainian websites, and attributed late-2025 activity on fake Chinese gambling and crypto websites to UNC6691. Google added identified sites and domains to Safe Browsing and recommended updating iOS or enabling Lockdown Mode.

    Show sources