Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold

MacRumors

MacRumors

macrumors bot
Original poster


Google's Threat Intelligence Group (GTIG) has a new report out about a powerful iOS exploit kit called "Coruna," which traveled from a surveillance vendor's customer to a Russian espionage group to Chinese cybercriminals, revealing a sophisticated exploit "supply chain" in the process.

apple-lock-security-bug-vulnerability-fix-privacy.jpg

Described as one of the most comprehensive iOS exploit toolkits to have been documented publicly, Coruna targets iPhones running iOS 13.0 through iOS 17.2.1, containing 23 exploits across four years of iOS versions.

According to GTIG, it was first spotted in February 2025, when it was used by a customer of a commercial surveillance vendor. By summer 2025, the same framework appeared in watering hole attacks (where an attacker compromises websites that their intended targets are likely to visit) by a suspected Russian espionage group targeting Ukrainian users.

Then, in late in 2025, a China-based, financially motivated actor deployed it across a large network of fake financial and crypto websites. GTIG said it was unclear how the exploit kit got passed from actor to actor, but that it suggests an active market for "second hand" zero-day exploits.

As for the kit's contents, it's described as extremely well-engineered. When someone visits an infected website, it figures out what kind of iPhone they're using and what software version it's running, then picks the right attack for that specific device. If the user has Apple's Lockdown Mode turned on though, the kit bails – it doesn't even try.

The attack code is scrambled with strong encryption, so it's hard for security researchers to intercept and analyze, and it's packaged in a custom format that the developers apparently invented themselves. The code also includes detailed notes written in English explaining how it all works, and uses attack techniques that haven't been seen publicly before, according to GTIG's analysis.

The kit targets cryptocurrency wallets and financial data, and is capable of hooking into 18 different crypto apps to exfiltrate wallet credentials. The payload can decode QR codes from images on disk, and it also has a module to analyze blobs of text to look for BIP39 word sequences or very specific keywords like "backup phrase" or "bank account." It even scans Apple Notes for typical seed phrases.

Anyone still on iOS 17.2.1 or earlier is potentially vulnerable to the exploit kit, which doesn't work against newer iOS versions, so make sure to update if you can. Otherwise, the takeaway seems to be that Apple's Lockdown Mode is doing its job to ward off such a powerful exploit kit, and that can only be good news for those who enable it.

Article Link: This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold
 
Article Link
https://www.macrumors.com/2026/03/05/ios-exploit-kit-lockdown-mode-stops-it/
Last edited:
  • Wow
Reactions: Z-4195
kevcube said:
You know what else "stops it cold"? Updating your phone. And it isn't overkill/horribly inconvenient like lockdown mode is.

Probably not a single person who accesses this forum is the intended target for lockdown mode.
Click to expand...
The intended target is anyone and everyone that the bad actors can get to. I think many here are under the misguided mindset (thanks to Apple) that Lockdown Mode is only for certain people. Believing that rhetoric from Apple is how you can get in trouble.
 
  • Like
Reactions: gusmula, TruthAboveAllElse, iLuddite and 4 others
kevcube said:
You know what else "stops it cold"? Updating your phone. And it isn't overkill/horribly inconvenient like lockdown mode is.
Click to expand...

I'd be fine with Lockdown Mode if it wasn't for these two limitations:
  • Incoming FaceTime calls from people you have not previously called are blocked. Incoming invitations for other Apple services from people you have not previously invited are also blocked.
  • Some complex web technologies and browsing features, including just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode. This protection applies to Safari and all other web browsers using WebKit across the ‌iPhone‌, ‌iPad‌, and Mac.

The first one doesn't seem practical/scalable if everybody uses it. The second one sounds like it would make web browsing painfully slow.

However, its other safeguards would be fine with me. All else being equal I prefer stronger sandboxes over retrospective patches.
 
Apple should see these types of attacks as they come into the phone and should be able to block them. They should be making sure apps cannot bleed into other parts of the phone and etc... If lock down mode is the answer, then we should all sell our smart phones and go back to the 90's for a dumb phone.
 
  • Like
  • Disagree
  • Haha
Reactions: marte91, Glacier1, Kengineer and 3 others
hagjohn said:
Apple should see these types of attacks as they come into the phone and should be able to block them. They should be making sure apps cannot bleed into other parts of the phone and etc... If lock down mode is the answer, then we should all sell our smart phones and go back to the 90's for a dumb phone.
Click to expand...
Yes, they already sandbox all apps, but still there need to be ways to communicate internally in the phone. The problem, as it is with all software, they are never perfect.
It is up to you as the user to do threat and risk assessment and decide what measure is the right for you.
 
  • Like
Reactions: marte91 and Kengineer
MRSugarD said:
Thank goodness all the very bad countries using this technique are being mentioned in this article because apparently only they are capable of committing these crimes. I am relieved to know who I should dislike according to the media. Thank you.
Click to expand...

Which is an especially interesting choice because it likely has US origins:

www.wired.com

A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals

A highly sophisticated set of iPhone hijacking techniques has likely infected tens of thousands of phones or more. Clues suggest it was originally built for the US government.
www.wired.com www.wired.com

 
  • Like
  • Wow
Reactions: Ben Sparrow, gusmula, RichardGroves and 6 others
Scary article UwU

Ps: imagine how many exploits exists for iOS26 and we will find out about it when “times” come…. Or maybe not at all , maybe they will be reusable on the next iOS, who knows …. Only secret CS agencies knows …. UwU scary/ foil cap
 
  • Like
Reactions: MasterControlProgram
bzgnyc2 said:
I'd be fine with Lockdown Mode if it wasn't for these two limitations:
  • Incoming FaceTime calls from people you have not previously called are blocked. Incoming invitations for other Apple services from people you have not previously invited are also blocked.
  • Some complex web technologies and browsing features, including just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode. This protection applies to Safari and all other web browsers using WebKit across the ‌iPhone‌, ‌iPad‌, and Mac.

The first one doesn't seem practical/scalable if everybody uses it. The second one sounds like it would make web browsing painfully slow.

However, its other safeguards would be fine with me. All else being equal I prefer stronger sandboxes over retrospective patches.
Click to expand...
I have yet to experience any problems viewing the web with Lockdown Mode enabled. I am not saying it can’t happen mind you but, it seems (at this point) to be a niche experience problem.
 
  • Like
Reactions: MasterControlProgram, gusmula and SFjohn
kevcube said:
You know what else "stops it cold"? Updating your phone. And it isn't overkill/horribly inconvenient like lockdown mode is.

Probably not a single person who accesses this forum is the intended target for lockdown mode.
Click to expand...

Your own words contradict your statement.

You know less than you think you do; a complicated issue, so you definitely don't have to, or be expected to. But you know a lot less than you think you do.
This isn't the forum for this kind of talk, but.. if you think "you know" security because "your stance" is to "regularly" update your phone?

I've got a bridge to sell you. Nice view too, very scenic.
 
  • Haha
Reactions: Ben Sparrow and marte91
Apple_Robert said:
I have yet to experience any problems viewing the web with Lockdown Mode enabled. I am not saying it can’t happen mind you but, it seems (at this point) to be a niche experience problem.
Click to expand...

There are some performance issues on heavy websites but those usually already don't work very well on the phone anyway. If one is serious about Lockdown mode, the phone also should probably not be used for a lot of general purpose activity so really it shouldn't come up much.
 
  • Like
Reactions: bzgnyc2
exploit kit attempting to crack crypto wallets is like douches trying to scam ah*les so sympathy level set to 0 for everything
 
  • Like
Reactions: Kengineer
Apple_Robert said:
The intended target is anyone and everyone that the bad actors can get to. I think many here are under the misguided mindset (thanks to Apple) that Lockdown Mode is only for certain people. Believing that rhetoric from Apple is how you can get in trouble.
Click to expand...
Kind of disagree. Sure, everyone is as risk.

But state actors only care about journalists, political figures, and other visible people.

Russia doesn’t really care about you or me. Unless we work at a nuclear facility or are a senator, you are not at the same level of risk.
 
  • Like
Reactions: Ben Sparrow and kevcube
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back