UNC6353 and UNC6691 Coruna iOS exploit campaign
Campaign
Summary
Hide ▲
Show ▼
The Coruna iOS exploit campaign spread through watering-hole and fake finance/crypto lures, extending reach from iPhone users to crypto users. UNC6353 used the framework against compromised Ukrainian websites in summer 2025, and UNC6691 later tied it to fake gambling and crypto sites in late 2025. The shift matters because the same exploit kit was reused across espionage and financial theft operations, broadening the risk to ordinary mobile users. The kit also selected exploit chains by device fingerprint and could stop when Lockdown Mode or private browsing was enabled.
Cases
Related Happenings
WebKit memory corruption, out-of-bounds write, and use-after-free flaws (multiple vulnerabilities)
Vulnerability
H score1
First: 30.06.2026 10:15
Last: 30.06.2026 10:15
Sources 1
About this happening:
**WebKit** now has four patched vulnerabilities, including **CVE-2026-43707**, **CVE-2026-43716**, **CVE-2026-43745**, and **CVE-2026-43715**, that can be triggered by **malicious...
WebKit memory corruption, out-of-bounds write, and use-after-free flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **WebKit** now has four patched vulnerabilities, including **CVE-2026-43707**, **CVE-2026-43716**, **CVE-2026-43745**, and **CVE-2026-43715**, that can be triggered by **malicious...
UNC6508 China-linked REDCap espionage campaign
Campaign
H score39
First: 15.06.2026 17:00
Last: 15.06.2026 17:00
Sources 1
About this happening:
**UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
UNC6508 China-linked REDCap espionage campaign
CampaignAbout this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
H score8
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
Malicious actor campaign expands across multiple victims
Campaign
H score14
First: 14.04.2026 19:37
Last: 14.04.2026 19:37
Sources 1
About this happening:
A **fake Ledger Live app** in **Apple’s App Store** drained about **$9.5 million** in cryptocurrency from **50 victims** in a few days, indicating a broader **wallet-theft campaig...
Malicious actor campaign expands across multiple victims
CampaignAbout this happening: A **fake Ledger Live app** in **Apple’s App Store** drained about **$9.5 million** in cryptocurrency from **50 victims** in a few days, indicating a broader **wallet-theft campaig...
Operation Triangulation updated iPhone espionage campaign
Campaign
H score41
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Timeline
-
04.03.2026 21:06 2 articles · 4mo ago
Coruna iOS exploit kit linked to espionage and crypto theft
Initial DisclosureCoruna is a previously undocumented iOS exploit kit with 23 exploits and five full exploit chains that affected iOS 13.0 through 17.2.1 and included CVE-2024-23222. GTIG first observed related activity in February 2025, later saw UNC6353 use the same framework in summer 2025 watering-hole attacks against iPhone users visiting compromised Ukrainian websites, and attributed late-2025 activity on fake Chinese gambling and crypto websites to UNC6691. Google added identified sites and domains to Safe Browsing and recommended updating iOS or enabling Lockdown Mode.
Show sources
- Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks — www.bleepingcomputer.com — 04.03.2026 21:06
- New “Darksword” iOS exploit used in infostealer attack on iPhones — www.bleepingcomputer.com — 18.03.2026 16:02