The "EternalBlue" Moment for Mobile: Nation-State Spyware Just Became a Cybercrime Commodity

Introduction
A New Kind of Leak
How a Cyber Weapon Trickles Down
What Happens After the Exploit
What This Means for Your Organization
The Bigger Picture

Introduction

There's a comfortable story enterprise security leaders have told themselves for years: zero-click mobile exploits are too expensive, too valuable, and too scarce to ever be aimed at ordinary employees. The elite stuff — silent iPhone compromises, full exploit chains — that's reserved for diplomats, dissidents, and the occasional C-suite target.

It's time to retire that story.

A New Kind of Leak

The Coruna iOS Exploit Kit (also tracked as CryptoWaters) has shattered the assumption that nation-state mobile weapons stay in nation-state hands. First identified by the Google Threat Intelligence Group and corroborated by mobile security firm iVerify, Coruna is a polished, professional-grade framework built to silently compromise iPhones. It contains 23 Apple iOS exploits spanning five complete exploit chains, targeting devices from iOS 13.0 through 17.2.1. It bypasses Pointer Authentication Codes, the Page Protection Layer, and most of Apple's deepest runtime defenses.

Several of Coruna's modules — nicknamed "Photon" and "Gallium" — are functionally identical to zero-days used in Operation Triangulation, the classified iOS espionage campaign uncovered in 2023.

And it's now in the hands of financially motivated cybercriminals.

How a Cyber Weapon Trickles Down

The real alarm isn't just technical sophistication. It's how fast Coruna moved through the threat ecosystem.

In early 2025, the framework appeared in tightly scoped, surgical operations run by a customer of an unnamed commercial surveillance vendor — classic spyware-for-hire targeting. By mid-2025, the same toolkit surfaced in watering hole attacks against Ukrainian critical infrastructure, attributed to UNC6353, a suspected Russian state-sponsored group. Then, late in 2025, containment failed entirely. The full framework leaked to UNC6691, a China-based financially motivated threat actor, who did something none of the original developers ever intended.

They pointed it at everyone.

UNC6691 abandoned surgical targeting and deployed Coruna across a sprawling network of fake cryptocurrency and financial trading websites, launching what researchers believe is the first mass-exploitation campaign against iOS devices using nation-state-grade tools.

What Happens After the Exploit

Traditional spyware wants total surveillance — messages, location, audio. UNC6691 wanted money. They swapped the espionage payload for a custom post-exploitation toolkit called PLASMAGRID (also known as PlasmaLoader), which injects itself into root-level iOS system daemons and goes hunting for financial data.

It hooks into the memory of at least 18 popular cryptocurrency wallets, including MetaMask, Trust Wallet, and Coinbase, intercepting private keys and transaction data in real time. It scans the Apple Notes app for 12- or 24-word BIP39 recovery phrases, flagging keywords like "backup phrase" and "bank account." It even trawls your photo library, decoding screenshots of QR codes that might contain MFA seeds or wallet addresses.

The framework is also remarkably aware of its environment. Coruna fingerprints each victim's device to serve precisely the right exploit, and it's hard-coded to abort entirely if it detects Apple's Lockdown Mode or Safari Private Browsing.

What This Means for Your Organization

The Coruna incident crystallizes something that's been building for a while: the modern mobile device isn't a phone anymore. It's a vault. Corporate identity, MFA tokens, financial access, sensitive communications — it all lives in your employees' pockets. And the barrier to attacking those devices with world-class exploits just dropped dramatically.

Here's what needs to change.

Push OS updates aggressively. The most effective defense against Coruna is also the simplest: Apple patched the core vulnerabilities in early 2024. If your MDM policies still allow devices to linger on older iOS versions, you're leaving the door open. Mandate iOS 17.3 or newer, and enforce compliance windows measured in days, not weeks.

Normalize Lockdown Mode for high-risk users. Coruna is explicitly programmed to bail out when it detects Lockdown Mode. For executives, board members, key IT staff, and anyone with elevated access, enabling this feature breaks the kill chain before it starts. It's an imperfect tool with real usability tradeoffs, but for high-value targets, those tradeoffs are worth it.

Deploy behavioral mobile threat defense. Signature-based antivirus will not catch in-memory zero-day exploit chains. You need MTD solutions that detect anomalous process injections and unauthorized memory allocations at the device level.

Hunt the infrastructure. Your SOC should be monitoring network egress for connections to dynamically generated .xyz domains (PLASMAGRID's fallback C2 mechanism) and watching for anomalous HTTP POST headers like sdkv and x-ts.

The Bigger Picture

Coruna is not an isolated incident. It's proof that the secondary market for advanced cyber weapons is mature, active, and accelerating. The containment model for commercial spyware — the idea that these tools stay within the control of their original operators — has failed.

For security leaders, the implication is straightforward: mass-scale, sophisticated mobile exploitation is no longer a theoretical edge case. It's an operational reality that belongs in your threat model today.