Ah, the joys of modern technology! Google’s Threat Intelligence Group (GTIG) has graced us with a revelation so delightful it could only be matched by a free lunch at a Michelin-starred restaurant. Apparently, there is a new, “powerful” iOS exploit kit named Coruna-no, it’s not a new cocktail, though it’s sure to leave you feeling under the weather. This little gem has been deployed on fake finance and crypto websites, designed to lure unsuspecting iPhone users into visiting pages that can, without so much as a “Hello,” silently inject exploits into your device. For all the crypto enthusiasts out there, take heed: the scam’s end goal is rather blunt-GTIG’s analysis suggests that these campaigns are geared towards harvesting seed phrases and wallet data from your precious mobile apps.
Coruna targets Apple devices running iOS 13.0 through iOS 17.2.1, which, let’s face it, is a wide range. And it doesn’t come empty-handed; oh no, it bundles a delightful package of five full exploit chains and 23 exploits. How generous. GTIG says they tracked the kit’s evolution over 2025, from its humble beginnings as a tool for a commercial surveillance company to its more ambitious later use, where it employed “watering hole” attacks on compromised Ukrainian websites. Finally, it blossomed into full-scale distribution via Chinese-language scam sites tied to a financially motivated actor they charmingly refer to as UNC6691. Such whimsy in nomenclature.
A Crypto Lure Designed For iPhones
Now, let’s delve into the web of deceit. GTIG observed the JavaScript framework behind Coruna being deployed on a rather extensive set of fake Chinese websites-financially themed, naturally. One particularly charming example was a fake WEEX-branded crypto exchange page that tried to lure visitors onto an iOS device. Once on your shiny iPhone, a hidden iFrame would pop up, delivering the exploit kit, regardless of whether you were in Paris, or stuck in a traffic jam in the middle of nowhere. Such an elegant approach. It’s almost as if they knew exactly where to strike.
The real artistry lies in the delivery mechanics. This isn’t your run-of-the-mill phishing; no, this is more sophisticated. Merely visiting a booby-trapped page from a vulnerable iPhone is enough to set the gears in motion. The framework gleefully fingerprints your device, identifying the model and iOS version, then loads the appropriate WebKit remote code execution exploit, along with a bypass for pointer authentication (PAC). How thoughtful. It’s almost as though they’ve taken the time to customize the experience just for you.
And, as if that weren’t enough, GTIG found that one WebKit RCE linked to this exploit was tied to CVE-2024-23222, which Apple graciously addressed in iOS 17.3, released on January 22, 2024. How very generous of Apple, though it may be a touch too late for some of us.
But wait, there’s more! At the end of the chain, Coruna drops a “stager” called PlasmaLoader (tracked as PLASMAGRID), which, according to GTIG, is focused not on surveillance, but on the much more glamorous art of stealing financial information. This payload can decode QR codes from images stored on your device, scan text blobs for BIP39 word sequences, and even keywords like “backup phrase” and “bank account,” which it gleefully exfiltrates. It’s almost as if the scammer was reading your financial diary. How quaint!
And lest you think this is just a minor issue, think again. The payload is modular and can remotely download additional modules. Many of these modules are designed to extract sensitive data from popular crypto wallet apps like MetaMask, Trust Wallet, and others. How delightful to know that your wallet’s safety is only as good as the websites you choose to visit. Sigh.
Mobile security firm iVerify also flagged this broader trend, adding their voice to the chorus of warning bells. “Phone OEMs do as good a job as anyone can do…” they said. Such a ringing endorsement. Nothing quite like a backhanded compliment.
What Crypto Users Can Do Now
So, what can our dear crypto aficionados do? GTIG suggests updating to the latest version of iOS, which, let’s face it, is probably a good idea. If that’s not possible, they recommend enabling Apple’s Lockdown Mode. They’ve also taken the liberty of adding the identified scam sites to Google Safe Browsing, just in case you’re still feeling brave.
For those with a penchant for crypto, the takeaway is clear: mobile wallets sit at the intersection of high-value assets and high-frequency web traffic. This makes them uniquely vulnerable to such “visit-to-compromise” campaigns. GTIG’s report suggests that the scammers weren’t just after your wallets-they were after your device, on the right iOS version, with everything lined up perfectly for exploitation. How thoughtful.
As of press time, the crypto market cap stands at a delightful $2.45 trillion. One wonders how much of that is still sitting safely in wallets, untouched by the cold hands of Coruna.
Read More
- Gold Rate Forecast
- USD HKD PREDICTION
- Brazil Ditches Cash?! 💸
- Bitcoin Booms Again! Whale Frenzy, Hype & a Shot of Hyper to the Moon 🚀
- Harvard Sage’s Bitcoin Blunder: Rogoff’s 2018 Prophecy Spectacularly Implodes 🚀😂
- Web3’s Global Tango: Asia’s Retail Flair Meets Western Institutional Swagger
- Why BNB Price Almost Broke $1,000 (And Why You Should Care)
- 🤑 Bitcoin’s Wild Ride: Bessent’s Backpedal Leaves Markets in a Tizzy! 🌀
- Solana’s $200 Gambit: Will This Blockchain Darling Finally Deliver? 🚀
- Grayscale’s Avalanche ETF: A Tale of Hope and Volatility 🚀💰
2026-03-05 21:04