Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Coruna watering-hole and fake-site exploitation campaign

Campaign
First reported
Last updated
Happening score
H score 56
1 unique sources, 1 articles

Summary

Hide ▲

A suspected Russia-aligned nation-state actor is using Coruna in watering-hole attacks in Ukraine and a mass exploitation campaign, expanding the kit’s abuse beyond its original precision-espionage role. The operation steers users who visit compromised or lure websites through a browser-fingerprinting exploit chain that can select the right payload and deliver PlasmaLoader (aka PLASMAGRID). That broadens risk for unpatched Apple iPhone users and shows how a once-targeted framework can be repurposed for wider abuse.

Cases

Coruna iPhone exploitation and Apple response (5)

Related Happenings

AI-driven attack surge against customer-facing mobile apps in 2026

Target Trend
First: 19.05.2026 15:00 Last: 19.05.2026 15:00 Sources 1

About this happening: **Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...

Open Happening

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Open Happening

FakeWallet crypto wallet phishing campaign targeting users in China

Campaign
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...

Latest development: 24.04.2026 14:48

Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.

Open Happening

Google integrates Rust DNS parser into Pixel modem firmware

Security Tool/Service
First: 14.04.2026 13:21 Last: 14.04.2026 13:21 Sources 1

About this happening: Google is **integrating a Rust-based DNS parser** into **Pixel modem firmware**, reducing memory-safety risk in a **remote cellular attack surface**. The change matters because th...

Open Happening

Bitter Middle East spear-phishing campaign targeting civil society figures

Campaign
First: 09.04.2026 13:45 Last: 09.04.2026 13:45 Sources 1

About this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...

Open Happening

Timeline

  1. 26.03.2026 13:07 2 articles · 2mo ago

    Kaspersky links Coruna to Triangulation-era exploit code

    Technical Analysis Update

    Kaspersky reported that the Coruna iOS exploit kit is an updated version of the kernel exploit code used in Operation Triangulation, with shared kernel exploitation framework elements, support for Apple's A17, M3, M3 Pro, and M3 Max processors, checks for iOS 17.2 and iOS 16.5 beta 4, and delivery of five full iOS exploit chains and 23 exploits that can lead to PlasmaLoader (aka PLASMAGRID) after a compromised Safari visit.

    Show sources
    Open in new tab