Cybersecurity Today – March 9, 2026: “Coruna iOS Exploit Kit Goes Mass-Market”

Host: David Shipley
Main Themes: Updates on emerging cybersecurity threats, high-profile breaches, and implications for businesses amid evolving geopolitical conflict.

Episode Overview

This episode focuses on several major stories shaping the cybersecurity landscape in early 2026, with deep dives into:

• The mass-market deployment of the sophisticated iOS Karuna exploit kit
• Another breach targeting the FBI’s surveillance infrastructure
• A new twist on social engineering campaigns abusing Windows Terminal
• Escalating Iranian cyber-attacks amid the Middle East conflict, including direct strikes on cloud data centers

David Shipley explores how advanced cyber tools, once restricted to state actors, are now being weaponized by criminal groups; the evolving threat environment facing both government and private critical infrastructure; and practical defense strategies businesses must prioritize.

Key Discussion Points & Insights

1. Karuna iOS Exploit Kit – Spyware Goes Mass-Market (00:20–06:20)

• Discovery & Capabilities
  • The Karuna exploit kit surfaced in February 2025, first detected by Google’s Threat Intelligence Group (GTIG).
  • Includes 23 zero and n-day iOS exploits (iOS 13–17), with 5 entire exploit chains comprising advanced, non-public techniques.
  • Originally used in high-value espionage and targeted attacks, but late-2025 saw its release onto malicious crypto-focused websites.
• Adaptability & Features
  • Dynamically selects exploit chains by iOS version—bypasses kernel protections like pointer authentication code and escalates privileges.
  • Notably, the malware ceases activity if Apple’s Lockdown Mode or private browsing are enabled.
  • Final payload “Plasma Loader” (Plasma Grid) targets crypto wallet apps (Metamask, Fantom, Uniswap), attempting to extract wallet recovery phrases and sensitive account info. Data is exfiltrated using encrypted channels and DGA for resilience.
• Criminalization of Spyware
  • Once the domain of nation-state surveillance, such powerful tools are now available to financially motivated threat actors.
  • Notable Quote:

    “Iverify called Karuna a ‘clear example’ of how sophisticated capabilities once reserved for high value targets like government officials are now being weaponized against everyday people.” (05:30)

  • The trend underscores the necessity of timely updates and using features like Lockdown Mode for everyday users.

2. FBI Surveillance Tools Breach – Vendor Risk and Critical Exposure (06:21–09:45)

• Incident Overview
  • February breach of FBI’s digital collection system network—platform for wiretaps and investigative tools.
  • Discovered via irregular network activity; attackers reportedly gained access through a third-party ISP vendor.
  • The breach prompted investigation from the White House, DHS, and NSA.
  • System breached was unclassified but contained sensitive ongoing investigative data.
• Systemic Risks & Implications
  • Highlights growing exposure from third-party vendors in critical law enforcement IT.
  • Mirrors similar exploits by Chinese state actors in previous US federal agency breaches.
  • Critical Commentary:

    “This story also highlights why so many cybersecurity and privacy advocates push back regularly against any notion of government backdoors into encryption services… such capabilities can be abused and, even more worrisome, hijacked by these very same hostile nation states or potentially by criminal groups.” (09:12)

  • Emphasizes the difficulty of defending critical government systems from both criminals and nation-states.

3. Microsoft Windows Terminal "Click Fix" Social Engineering (09:46–13:03)

• Campaign Details
  • Attackers evolved the “click fix” scam: Instead of the Windows Run dialog, victims are asked to launch Windows Terminal (wt.exe) via the Windows + X, I shortcut and input a malicious script.
  • The lure: Presented on convincing ‘Qlik Fix’ pages, appearing more legitimate.
• Attack Chain
  • Decoded PowerShell scripts run via the terminal, downloading a ZIP payload and extracting with a renamed 7zip binary.
  • Establishes persistence, disables Defender exclusions, and deploys Luma Stealer via code injection into Chrome and Edge processes.
  • Data is exfiltrated—focus on browser credentials and crypto assets.
  • Second variant of the attack abuses msbuild.exe to run VBScript for stealth.
  • Key Tactics: Abuses “living off the land” binaries to slip past security tools.
• User Training & Defensive Gaps
  • These attacks avoid traditional phishing hallmarks.
  • Insightful Observation:

    “These kinds of attacks also don’t look like the kinds of phishing that many people have been trained on for many years. By asking people to validate that they’re human or fix a problem, they can get users to execute these commands with surprising effectiveness.” (12:30)

4. Iranian Cyber Operations & Cloud Data Center Attacks (13:04–18:34)

• Surge in Iranian Activity

  • Group “Muddy Water” (Seed Worm) deploying new backdoors (e.g., Dindoor using Deno runtime, Fakeset using Python) against US banks, airports, and software vendors.
  • Tactics include use of cloud storage services (e.g., Backblaze, Wasabi) for exfiltration with overlap in digital certificates across multiple attack tools.
  • Pro-Russian hacktivist involvement noted, with industrial targets and claims of breaching US ICS and CCTV networks.

• Escalating Wiper & Surveillance Attacks

  • Multiple malware wiper operations striking Israeli sectors (energy, finance, utilities).
  • Increased exploitation of surveillance and IP camera systems, providing tactical military value.
  • Contextual Reflection:

    “This is the exact same playbook that Israel and the United States used in the targeted killing of Iran’s Supreme Leader by hacking into Tehran’s traffic camera network.” (14:28)

• Direct Military Strikes on Data Centers

  • Iranian drone attacks on AWS data centers in UAE and Bahrain—marking a line-blurring between physical warfare and cyber-physical infrastructure.
  • Service interruptions, infrastructure damage (tripped power delivery, triggered fire suppression systems).
  • Microsoft reportedly also targeted; data center security now a critical national resilience issue.
  • Amazon urges clients to migrate workloads out of Middle East regions.
  • Strategic Analysis:

    “Historically, oil fields were the primary target in the region, but now these strikes demonstrate that these data centers are viewed as equally important to their respective countries and may be potentially more vulnerable.” (16:48)

  • The rise of AI increases the strategic value of data centers; physical defense now required alongside cybersecurity.
  • Warning & Recommendations:

    “Organizations are urged to adopt a proactive stance in their cybersecurity strategies that includes strengthening monitoring capabilities… segmenting networks and maintaining good validated backups… regularly updating applications including firewalls and other edge devices.” (15:52)
    Adam Myers (CrowdStrike): “Western organizations should continue to remain on high alert for potential cyber responses. As the conflict continues, activity may escalate beyond hacktivism into more destructive operations.” (16:27)

Timestamps for Important Segments

• Karuna iOS Exploit Kit Unpacked: 00:20–06:20
• FBI Surveillance System Breach Analysis: 06:21–09:45
• Windows Terminal Social Engineering Campaign: 09:46–13:03
• Iranian Cyber Operations, Middle East Conflict, and Data Center Strikes: 13:04–18:34

Notable Quotes & Memorable Moments

• On Advanced Exploit Kits Going Mainstream:
  “A clear example of how sophisticated capabilities once reserved for high value targets like government officials are now being weaponized against everyday people.”
  – David Shipley quoting iVerify [05:30]
• On Government Encryption Backdoors:
  “Such capabilities can be abused and, even more worrisome, hijacked by these very same hostile nation states or potentially by criminal groups.” [09:12]
• On User Training Gaps:
  “These kinds of attacks also don’t look like the kinds of phishing that many people have been trained on for many years … they can get users to execute these commands with surprising effectiveness.” [12:30]
• On Data Centers as New Strategic Targets:
  “These data centers are viewed as equally important to their respective countries and may be potentially more vulnerable.” – Patrick Murphy, Hilco Global [16:48]
• On Escalating Threat Levels:
  “Western organizations should continue to remain on high alert for potential cyber responses. As the conflict continues, activity may escalate beyond hacktivism into more destructive operations.”
  – Adam Myers, CrowdStrike [16:27]

Actionable Takeaways for Organizations

• Enable and use security features like Lockdown Mode.
• Keep all devices and browsers up to date.
• Limit third-party vendor exposure and audit supply chain security regularly.
• Prepare for the blending of physical and cyber threats—especially for critical infrastructure.
• Strengthen monitoring, segment networks, and enforce multi-factor authentication.
• Maintain strong, validated backups and regularly patch edge devices (e.g., firewalls).

This episode underscores the increasing accessibility of sophisticated cyber-attack tools, the crossover between digital and physical threats, and the need for vigilant defense across both technology and operational domains.