UNC6353 and UNC6691 Coruna iOS exploit campaign
Campaign
Summary
Hide ▲
Show ▼
The Coruna iOS exploit campaign spread through watering-hole and fake finance/crypto lures, extending reach from iPhone users to crypto users. UNC6353 used the framework against compromised Ukrainian websites in summer 2025, and UNC6691 later tied it to fake gambling and crypto sites in late 2025. The shift matters because the same exploit kit was reused across espionage and financial theft operations, broadening the risk to ordinary mobile users. The kit also selected exploit chains by device fingerprint and could stop when Lockdown Mode or private browsing was enabled.
Cases
Related Happenings
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
Malicious actor campaign expands across multiple victims
Campaign
First: 14.04.2026 19:37
Last: 14.04.2026 19:37
Sources 1
About this happening:
A **fake Ledger Live app** in **Apple’s App Store** drained about **$9.5 million** in cryptocurrency from **50 victims** in a few days, indicating a broader **wallet-theft campaig...
Malicious actor campaign expands across multiple victims
CampaignAbout this happening: A **fake Ledger Live app** in **Apple’s App Store** drained about **$9.5 million** in cryptocurrency from **50 victims** in a few days, indicating a broader **wallet-theft campaig...
Operation Triangulation updated iPhone espionage campaign
Campaign
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical Analysis
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
**Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical AnalysisAbout this happening: **Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Coruna watering-hole and fake-site exploitation campaign
Campaign
First: 26.03.2026 13:07
Last: 26.03.2026 13:07
Sources 1
About this happening:
A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
Coruna watering-hole and fake-site exploitation campaign
CampaignAbout this happening: A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
Timeline
-
04.03.2026 21:06 2 articles · 2mo ago
Coruna iOS exploit kit linked to espionage and crypto theft
Initial DisclosureCoruna is a previously undocumented iOS exploit kit with 23 exploits and five full exploit chains that affected iOS 13.0 through 17.2.1 and included CVE-2024-23222. GTIG first observed related activity in February 2025, later saw UNC6353 use the same framework in summer 2025 watering-hole attacks against iPhone users visiting compromised Ukrainian websites, and attributed late-2025 activity on fake Chinese gambling and crypto websites to UNC6691. Google added identified sites and domains to Safe Browsing and recommended updating iOS or enabling Lockdown Mode.
Show sources
- Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks — www.bleepingcomputer.com — 04.03.2026 21:06
- New “Darksword” iOS exploit used in infostealer attack on iPhones — www.bleepingcomputer.com — 18.03.2026 16:02