A recently discovered iOS exploit kit, known as Coruna, has been linked to nation-state actors and is now being utilized in global attacks. Originally employed by Russian state-sponsored groups, Coruna's capabilities have been leveraged by broader criminal campaigns, marking a significant expansion of its reach. The exploit kit's emergence in various attacks has prompted concerns about the evolving threat landscape, with state-aligned activity potentially shifting the threat model from solely criminal to geopolitical. Technical analysis by Google and iVerify has shed light on Coruna's inner workings, revealing its potency in compromising iOS devices. The fact that Coruna is being used in global attacks1 highlights the need for a distinct approach to mitigating such threats, as the traditional playbook may no longer be effective. This development matters to practitioners because it signifies a change in the threat landscape, requiring a more nuanced understanding of the intersection between state-sponsored activity and criminal campaigns.