Google Threat Intelligence Group has discovered a new iOS exploit called Coruna that can attack iPhones running iOS 13.0–17.2.1 to steal Mnemonics phrases from encrypted cryptocurrency wallets.
This toolkit includes multiple exploit chain and vulnerabilities, allegedly linked to Russian intelligence groups targeting Ukrainian users, then spreading to fake Chinese-language websites to steal Cryptoasset.
- Coruna targets iOS 13.0–17.2.1, stealing cryptocurrency wallet Mnemonics .
- It includes 5 iOS exploit chain and 23 vulnerabilities, some of which have never been disclosed before.
- It is recommended to update to the latest iOS or enable Lock Mode; Coruna is not compatible with the latest iOS.
What is Coronavirus and how does it affect iPhone users?
Coruna is an iOS exploit kit capable of extracting sensitive data from cryptocurrency wallet applications on iPhones running iOS 13.0 to 17.2.1.
According to a report by Google Threat Intelligence Group, Coruna includes five complete iOS exploit chain and 23 vulnerabilities, some of which have never been disclosed before. The primary target is described as stealing mnemonic phrases from encrypted wallets.
GTIG identified the targeted applications as Uniswap and MetaMask . When users accessed these malicious websites using iOS devices, the toolkit scanned text containing Mnemonics phrases and keywords such as "backup phrases," "bank accounts," and then extracted sensitive information from the encrypted applications.
Who is behind this, and what should users do?
GTIG said it first detected Coruna in February 2025 and traced its use to suspected Russian intelligence organizations targeting Ukrainian users.
Subsequently, Coruna appeared on fake encryption websites in Chinese with the goal of stealing Cryptoasset. GTIG recommends that iPhone users update to the latest iOS version or enable Lock Mode to reduce risk, while noting that this toolkit is not compatible with the latest iOS version.
