Unveiling Coruna: The Sophisticated iOS Exploit Kit Targeting Versions 13 to 17.2.1
In a significant cybersecurity development, Google’s Threat Intelligence Group (GTIG) has identified a formidable exploit kit named Coruna, also known as CryptoWaters. This kit specifically targets Apple iPhone models operating on iOS versions ranging from 13.0 to 17.2.1. Comprising five comprehensive iOS exploit chains and a total of 23 distinct exploits, Coruna poses a substantial threat to devices running these versions. Notably, the latest iOS versions remain unaffected by this exploit kit.
GTIG emphasizes the technical sophistication of Coruna, highlighting its extensive collection of iOS exploits. The most advanced among them employ undisclosed exploitation techniques and mitigation bypasses. The exploit kit’s framework is meticulously engineered, with each component seamlessly integrated using common utility and exploitation frameworks.
Evolution and Proliferation of Coruna
Since its emergence in February 2025, Coruna has traversed through various threat actors. Initially utilized in commercial surveillance operations, it transitioned to government-backed attackers and, by December, was in the hands of financially motivated threat actors based in China. The exact mechanisms behind its transfer remain unclear. However, this progression underscores the existence of an active market for second-hand zero-day exploits, enabling diverse threat actors to repurpose them for varied objectives.
Security firm iVerify notes that Coruna bears similarities to previous frameworks developed by threat actors associated with the U.S. government. They describe Coruna as a significant instance of sophisticated spyware-grade capabilities migrating from commercial surveillance vendors to nation-state actors and eventually to large-scale criminal operations.
Technical Insights into Coruna’s Operations
GTIG’s initial detection of Coruna occurred early last year when parts of an iOS exploit chain were observed being used by a client of an unnamed surveillance company. These exploits were embedded within a novel JavaScript framework designed to fingerprint devices, verifying their authenticity and collecting details such as the specific iPhone model and iOS version.
Based on the fingerprint data, the framework deploys the appropriate WebKit remote code execution (RCE) exploit, followed by executing a pointer authentication code (PAC) bypass. One such exploit targets CVE-2024-23222, a type confusion vulnerability in WebKit that Apple addressed in January 2024 with the release of iOS 17.3 and iPadOS 17.3, as well as iOS 16.7.5 and iPadOS 16.7.5.
Geopolitical Exploitation and Targeting
By July 2025, the same JavaScript framework was identified on the domain cdn.uacounter[.]com, embedded as a hidden iFrame on compromised Ukrainian websites. These sites spanned various sectors, including industrial equipment, retail tools, local services, and e-commerce. The campaign is attributed to a suspected Russian espionage group known as UNC6353.
A notable aspect of this activity was the selective delivery of the framework to specific iPhone users based on their geolocation. The exploits utilized in this campaign included CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the latter being a use-after-free flaw in WebKit. Apple addressed CVE-2023-43000 in iOS 16.6 and iPadOS 16.6, released in July 2023. However, the security release notes were updated to include this vulnerability only on November 11, 2025.
Further Proliferation and Criminal Exploitation
In December 2025, the JavaScript framework resurfaced on a cluster of counterfeit Chinese websites, predominantly related to finance. These sites prompted users to access them via an iPhone or iPad for an enhanced user experience. This activity is linked to a threat cluster identified as UNC6691.
Upon accessing these websites through an iOS device, a hidden iFrame injects the Coruna exploit kit, deploying CVE-2024-23222. Unlike previous instances, this exploit delivery was not restricted by geolocation criteria.
Further investigation into the threat actor’s infrastructure unveiled a debug version of the exploit kit, along with various samples encompassing five complete iOS exploit chains. In total, 23 exploits targeting iOS versions from 13 to 17.2.1 were identified.
Exploited Vulnerabilities and Their Impact
Some of the critical vulnerabilities exploited by Coruna include:
– Neutron: CVE-2020-27932 (iOS 13.x)
– Dynamo: CVE-2020-27950 (iOS 13.x)
– Buffout: CVE-2021-30952 (iOS 13 to 15.1.1)
– Jacurutu: CVE-2022-48503 (iOS 15.2 to 15.5)
– IronLoader: CVE-2023-32409 (iOS 16.0 to 16.3.1)
– Photon: CVE-2023-32434 (iOS 14.5 to 15.7.6)
– Gallium: CVE-2023-38606 (iOS 14.x)
– Parallax: CVE-2023-41974 (iOS 16.4 to 16.7)
– Terrorbird: CVE-2023-43000 (iOS 16.2 to 16.5.1)
– Cassowary: CVE-2024-23222 (iOS 16.6 to 17.2.1)
– Sparrow: CVE-2024-23225 (iOS 17.0 to 17.3)
– Rocket: CVE-2024-23296 (iOS 17.1 to 17.4)
Notably, the Photon and Gallium exploits target vulnerabilities previously utilized as zero-days in Operation Triangulation. Coruna also incorporates reusable modules to facilitate the exploitation of these vulnerabilities.
Implications and Recommendations
The emergence and evolution of Coruna highlight a concerning trend: the proliferation of sophisticated spyware capabilities from commercial surveillance vendors to nation-state actors and, ultimately, to large-scale criminal operations. This progression signifies a shift from highly targeted spyware attacks to broader deployments, increasing the risk to a wider range of users.
To mitigate the threat posed by Coruna, iPhone users are strongly advised to:
1. Keep Devices Updated: Regularly update iOS devices to the latest available versions, as Coruna is ineffective against the most recent iOS releases.
2. Enable Lockdown Mode: Utilize Lockdown Mode for enhanced security, as Coruna is designed to bypass devices operating in this mode.
3. Exercise Caution: Be vigilant when accessing unfamiliar websites or clicking on unsolicited links, especially those prompting the use of specific devices for an improved experience.
By adhering to these recommendations, users can significantly reduce their vulnerability to sophisticated exploit kits like Coruna.
