This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold - MacRumors
Skip to Content

This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold

by

Google's Threat Intelligence Group (GTIG) has a new report out about a powerful iOS exploit kit called "Coruna," which traveled from a surveillance vendor's customer to a Russian espionage group to Chinese cybercriminals, revealing a sophisticated exploit "supply chain" in the process.

apple lock security bug vulnerability fix privacy
Described as one of the most comprehensive iOS exploit toolkits to have been documented publicly, Coruna targets iPhones running iOS 13.0 through iOS 17.2.1, containing 23 exploits across four years of iOS versions.

According to GTIG, it was first spotted in February 2025, when it was used by a customer of a commercial surveillance vendor. By summer 2025, the same framework appeared in watering hole attacks (where an attacker compromises websites that their intended targets are likely to visit) by a suspected Russian espionage group targeting Ukrainian users.

Then, in late in 2025, a China-based, financially motivated actor deployed it across a large network of fake financial and crypto websites. GTIG said it was unclear how the exploit kit got passed from actor to actor, but that it suggests an active market for "second hand" zero-day exploits.

As for the kit's contents, it's described as extremely well-engineered. When someone visits an infected website, it figures out what kind of iPhone they're using and what software version it's running, then picks the right attack for that specific device. If the user has Apple's Lockdown Mode turned on though, the kit bails – it doesn't even try.

The attack code is scrambled with strong encryption, so it's hard for security researchers to intercept and analyze, and it's packaged in a custom format that the developers apparently invented themselves. The code also includes detailed notes written in English explaining how it all works, and uses attack techniques that haven't been seen publicly before, according to GTIG's analysis.

The kit targets cryptocurrency wallets and financial data, and is capable of hooking into 18 different crypto apps to exfiltrate wallet credentials. The payload can decode QR codes from images on disk, and it also has a module to analyze blobs of text to look for BIP39 word sequences or very specific keywords like "backup phrase" or "bank account." It even scans Apple Notes for typical seed phrases.

Anyone still on iOS 17.2.1 or earlier is potentially vulnerable to the exploit kit, which doesn't work against newer iOS versions, so make sure to update if you can. Otherwise, the takeaway seems to be that Apple's Lockdown Mode is doing its job to ward off such a powerful exploit kit, and that can only be good news for those who enable it.

Tags: Cybersecurity, Security

Popular Stories

lock screen notifications for iPhones running out of date versions of iOS feature 3

Apple Now Sending Critical Security Alerts to iPhones Running iOS 17 and Earlier

Friday March 27, 2026 7:21 am PDT by
Apple has begun pushing Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS, warning users of active web-based attacks. The alerts, which appear as a "Critical Software" notification from the Settings app, warn that Apple "is aware of attacks targeting out-of-date iOS software, including the version on your iPhone," and urge users to install a critical...
Read Full Article92 comments
apple lock security bug vulnerability fix privacy

Apple Says No iPhone in Lockdown Mode Has Ever Been Hacked

Friday March 27, 2026 9:33 am PDT by
Apple says it has no record of a successful spyware attack against any device running Lockdown Mode, the opt-in security feature it introduced in 2022. "We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device," an Apple spokesperson told TechCrunch. Lockdown Mode is available on the iPhone, iPad, and Mac, and dramatically restricts...
Read Full Article39 comments
macOS 27 on MacBook Pro

macOS 27 Will Mark the End of an Era

Saturday April 18, 2026 6:45 am PDT by
During its Platforms State of the Union segment at WWDC 2025, Apple revealed that macOS 26 Tahoe is the final major macOS version for Intel-based Macs. The upcoming macOS 27 release will be compatible with Apple silicon Macs only, meaning that you will need a Mac with an M-series chip or a MacBook Neo with an A18 Pro chip in order to install the software update. macOS 27 should be available...
Read Full Article218 comments

Top Rated Comments

K
kevcube
6 weeks ago
You know what else "stops it cold"? Updating your phone. And it isn't overkill/horribly inconvenient like lockdown mode is.

Probably not a single person who accesses this forum is the intended target for lockdown mode.
Score: 18 Votes (Like | Disagree)
C
CarAnalogy
6 weeks ago

You know what else "stops it cold"? Updating your phone. And it isn't overkill/horribly inconvenient like lockdown mode is.

Probably not a single person who accesses this forum is the intended target for lockdown mode.
It stops these attacks. The point of Lockdown mode is to stop zero days aka unknown attacks.
Score: 11 Votes (Like | Disagree)
B
bzgnyc2
6 weeks ago

Thank goodness all the very bad countries using this technique are being mentioned in this article because apparently only they are capable of committing these crimes. I am relieved to know who I should dislike according to the media. Thank you.
Which is an especially interesting choice because it likely has US origins:

https://www.wired.com/story/coruna-iphone-hacking-toolkit-us-government/

https://www.nextgov.com/cybersecurity/2026/03/potential-us-built-hacking-tools-obtained-foreign-spies-and-cybercriminals-research-says/411861/?oref=ng-homepage-river
Score: 9 Votes (Like | Disagree)
N
now i see it
6 weeks ago
As they say - getting involved with cryptocurrency is basically gambling- beware
Score: 8 Votes (Like | Disagree)
J
justanotherdave
6 weeks ago

Correct ... but we need to keep the Apple security & privacy theater up and running.
Theatre? More like fact. Easily verifiable fact.
Score: 7 Votes (Like | Disagree)
Apple_Robert Avatar
Apple_Robert
6 weeks ago

You know what else "stops it cold"? Updating your phone. And it isn't overkill/horribly inconvenient like lockdown mode is.

Probably not a single person who accesses this forum is the intended target for lockdown mode.
The intended target is anyone and everyone that the bad actors can get to. I think many here are under the misguided mindset (thanks to Apple) that Lockdown Mode is only for certain people. Believing that rhetoric from Apple is how you can get in trouble.
Score: 7 Votes (Like | Disagree)
Read All Comments