“Coruna” Exploit Kit: Mass iOS Attacks Pivot from Crypto Scams to Iran-Themed Lures

New research from Validin shed light on the rapid evolution and expansion of “Coruna,” a sophisticated iOS exploit kit targeting iPhone users. Originally detailed by Google Threat Intelligence Group (GTIG) and iVerify, the kit has morphed from a specialized surveillance tool into a mass-deployed weapon used in global crypto-draining schemes and opportunistic political lures.

First appearing in February 2025, Coruna is notable for its sheer scale. The kit is armed with “five full exploit chains across 23 individual exploits targeting iOS versions 13 through 17.2.1”.

The campaign’s trajectory shows a disturbing trend of “opportunistic abuse”:

• Surveillance Origin: Initially used by customers of a private surveillance firm.
• Watering Hole Attacks: Observed targeting compromised Ukrainian websites in mid-2025.
• Mass Crypto Scams: Deployed across Chinese scam websites to drain cryptocurrency wallets.
• War-Themed Lures: Most recently linked to a new cluster of Iran war-themed websites.

The latest shift involves domains registered as recently as March 1, 2026, using highly emotive title tags such as “Vigil for Iran Support Page” and “دعم عاجل لإيران” (Urgent support for Iran). These droppers were found on domains like iransupport.cyou and firansupport.cyou, suggesting that threat actors are leveraging geopolitical tensions to lure victims into the infection chain.

According to Validin’s analysis, “Based on the variation of the themes and layouts found in the YARA matches, it seems likely that there’s more than one threat actor, there’s opportunism in lure choices, and there’s possibly a mix of custom-purpose domains and compromised websites hosting these droppers”.

By analyzing historical DNS records and host response patterns, researchers mapped a sprawling network of PLASMAGRID C2 domains. Validin identified several distinct traits shared by these servers, including a unique “32 byte response on port 443” and a specific “404 Not Found” response banner.

The dropper pages utilize a specific JavaScript initialization known as LaSDK.init to communicate with C2 servers like fgr1w2gnsdvsb.xyz. To hide the malicious activity, the exploit code is often loaded through an iframe “configured to load offscreen with custom CSS”.

The investigation into Coruna has revealed over 200 domains appearing to deliver this exploit path in just the last seven days. The diversity of the lures—ranging from “2026 Lucky Wheel Draw” and “AlphaDrop Airdrop” to “Create Your AI Girlfriend”—indicates a highly active ecosystem where multiple actors may be utilizing the same exploit kit for different criminal ends.

As these exploits are “well beyond their original context,” iPhone users are urged to keep their devices updated to the latest iOS versions to mitigate the risk of these known vulnerabilities.