Back
Google Warns of 'Coruna' Exploit Kit Targeting iPhone Users to Steal Crypto Data

Google Warns of 'Coruna' Exploit Kit Targeting iPhone Users to Steal Crypto Data

GTIG reports that the 'Coruna' iOS exploit kit is actively deployed via fake finance and crypto websites, capable of harvesting wallet seed phrases and financial data from iPhones running iOS 13.0–17.2.1.

UNI

Fact Check
The claim is fully supported by the official Google Threat Intelligence Group report and multiple reputable news outlets. The details regarding the exploit kit name ('Coruna'), the targeted iOS versions (13.0–17.2.1), the specific goal of stealing seed phrases from Uniswap and MetaMask users, and the involvement of Russian actors are all verified.
    Reference123
Summary

Google’s Threat Intelligence Group details that the 'Coruna' exploit kit targets iPhones on iOS 13.0–17.2.1, using five exploit chains and 23 exploits to harvest cryptocurrency wallet seed phrases and financial data. The malware is distributed via fraudulent Chinese finance and crypto websites and delivers the PlasmaLoader payload to extract sensitive information from wallets including MetaMask, Trust Wallet, Uniswap, Phantom, Exodus, and Tonkeeper. Users are advised to update iOS or enable Lockdown Mode; affected sites have been added to Google Safe Browsing.

Terms & Concepts
  • Seed phrase: A sequence of words that allows recovery of a cryptocurrency wallet; possession grants full access to the wallet’s funds.
  • PlasmaLoader (PLASMAGRID): A malware stager deployed by Coruna that extracts financial information and wallet data, capable of downloading additional modules remotely.
  • WebKit RCE: A remote code execution vulnerability in Apple’s WebKit browser engine, exploited by Coruna to compromise iOS devices.