The same framework resurfaced in summer 2025, this time repurposed by UNC6353, a suspected Russian espionage group, which embedded it as hidden iframes on compromised Ukrainian websites spanning industrial equipment, retail, and ecommerce sectors, according to Google. It said it worked with Ukraine’s CERT-UA to clean up all compromised websites.
By year end the same kit had appeared across a large network of fake Chinese financial websites operated by UNC6691, a financially motivated, China-based threat actor. Unlike the earlier targeted deployments, iVerify confirmed the exploit chains contained no geolocation filtering, means any vulnerable iPhone visiting those pages was at risk.
VIPs aren’t the only ones at risk from this malware, said Everest Group senior analyst Gautam Goel. “GTIG’s writeup is notable precisely because it shows surveillance-grade exploit chains moving from targeted use to broad-scale criminal campaigns.”
