Security researchers reported a sophisticated iPhone exploitation framework dubbed Coruna that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe five exploit chains spanning 20+ vulnerabilities affecting iOS 13 through 17.2.1, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by Russian intelligence against Ukrainian targets and subsequent adoption by a cybercrime group for cryptocurrency theft.
Separate mobile-threat reporting detailed multiple Android campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a RedAlert trojanized app impersonating Israel’s Home Front Command alerting application, using a multi-stage APK/DEX loader chain (including an assets/ payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized PromptSpy, an Android RAT with VNC-based remote control that integrates Google Gemini to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled ZeroDayRAT as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
11 events from the most recent confirmed update back to the earliest known activity.
Google's Threat Intelligence Group and iVerify reported on Coruna, a professionally developed iPhone exploitation framework with five exploit chains using more than 20 vulnerabilities affecting iOS 13 through 17.2.1. They assessed it may have originated as a U.S.-built or U.S.-government-linked capability that later proliferated to foreign spies and cybercriminals.
Zimperium described ZeroDayRAT as a modular Android spyware and financial-theft platform spread through social-engineering lures and sideloaded apps. The malware supports screen capture, keylogging, credential harvesting, and exfiltration from banking, payment, and personal apps while using stealth techniques to evade signature-based detection.
Dynamic analysis showed the malicious package com.red.alertx continued delivering real rocket alerts to maintain credibility while aggressively requesting dangerous permissions. Once any permission was granted, it staged SMS, contacts, and GPS data locally and exfiltrated it via persistent HTTP POST traffic to attacker infrastructure.
CloudSEK reported an Android trojanized app impersonating Israel's Home Front Command "Red Alert" app and spreading through SMS spoofing. The malware uses a three-stage loader chain to evade analysis while presenting a convincing copy of the legitimate app.
The Nextgov report cites a recent U.S. legal case in which a former Trenchant employee pleaded guilty to selling exploits to a Russian broker believed to be Operation Zero. The broker was later sanctioned by the U.S. Treasury.
PolySwarm documented PromptSpy as an Android RAT that uses Google Gemini to analyze screen XML dumps and return JSON gesture instructions for maintaining persistence. The malware also includes VNC-based remote control, credential capture, screenshots, and anti-removal overlays.
PromptSpy was distributed through a website impersonating a Chase Bank portal, mgardownload[.]com, using a dropper app branded "MorganArg." The campaign appears financially motivated and targets users in Argentina.
The reporting says Coruna shows overlap with the 2023 Triangulation campaign, a high-end iPhone exploitation operation. This places the framework or related capabilities in circulation by 2023.
Researchers reported that Coruna was subsequently used by cybercriminals to steal cryptocurrency from Chinese-speaking victims. This marked a shift from apparent espionage use to financially motivated criminal exploitation.
Google and iVerify assessed that the Coruna toolkit was later used in a Russian espionage campaign targeting Ukrainian websites. The activity used malicious web content to fingerprint devices, achieve remote code execution, and bypass iOS protections on older iPhones.
Researchers said the iPhone exploitation framework dubbed Coruna appears to have first been used operationally by a customer of a surveillance company. This is the earliest reported stage in the toolkit's observed history, before later espionage and criminal adoption.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
nextgov.com
Open sourcecloudsek.com
Open sourcezimperium.com
Open sourceblog.polyswarm.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.