Overview
- Google’s Threat Intelligence Group detailed a full framework of five exploit chains and 23 vulnerabilities targeting iOS 13 through 17.2.1, noting it no longer works on the newest releases.
- Attackers delivered the kit through watering‑hole techniques and fake gambling and crypto sites that fingerprint devices and load tailored chains via hidden iFrames.
- The final payload, staged by PlasmaLoader/PlasmaGrid, searches Apple Notes and app data for BIP39 recovery phrases, scans images for QR codes, and exfiltrates cryptocurrency wallet information.
- GTIG tracked usage from a surveillance‑vendor customer in February 2025 to suspected Russian UNC6353 targeting Ukrainian sites in July 2025 and then to broad December 2025 campaigns by financially motivated UNC6691 on Chinese‑language sites.
- Mobile firm iVerify estimates roughly 42,000 devices were compromised in one campaign and reports code similarities to U.S. government‑style tooling, while GTIG published IOCs and added domains to Safe Browsing as the kit’s provenance remains unresolved.