Google Uncovers Coruna: A Powerful iOS Exploit Kit Circulating in the Wild

In a stunning revelation that has sent shockwaves through the cybersecurity community, Google’s Threat Intelligence Group (GTIG) has identified a “new and powerful” exploit kit dubbed Coruna (also known as CryptoWaters) that has been targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. This sophisticated toolkit represents one of the most advanced mobile threat frameworks ever discovered, featuring five full iOS exploit chains and a total of 23 exploits that could compromise millions of devices worldwide.

The Anatomy of a Digital Weapon

What makes Coruna particularly alarming is not just its technical sophistication but its journey through the dark underbelly of the exploit market. According to Google’s analysis, this toolkit began its life in the hands of commercial surveillance operations before making its way to government-backed attackers, and ultimately falling into the possession of financially motivated Chinese threat actors by December 2025.

“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,” GTIG stated in their detailed analysis. “The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.”

This evolution of Coruna from a commercial tool to a weapon in the hands of various threat actors highlights a disturbing trend in the cybersecurity landscape: the proliferation of sophisticated spyware-grade capabilities from commercial vendors into the hands of nation-state actors and ultimately mass-scale criminal operations.

A New Era of Mobile Threats

Mobile security vendor iVerify has described Coruna as “one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations.” This characterization underscores the gravity of the situation and the potential for widespread damage.

What’s particularly concerning is that the use of this sophisticated exploit framework marks the first observed mass exploitation against iOS devices. This shift indicates that spyware attacks are moving away from highly targeted operations to broad deployment strategies, potentially affecting millions of unsuspecting users.

The Technical Breakdown

Google first detected parts of an iOS exploit chain used by a customer of an unnamed surveillance company early in 2025. The exploits were integrated into a never-before-seen JavaScript framework designed to fingerprint devices, determining if they’re real and gathering crucial details such as the specific iPhone model and iOS software version.

The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by executing a pointer authentication code (PAC) bypass. One of the key vulnerabilities exploited was CVE-2024-23222, a type confusion bug in WebKit that Apple patched in January 2024 with iOS 17.3 and iPadOS 17.3, as well as iOS 16.7.5 and iPadOS 16.7.5.

Real-World Deployment

The first real-world deployment of Coruna was detected in July 2025 when the JavaScript framework appeared on the domain “cdn.uacounter[.]com.” This domain was loaded as a hidden iFrame on compromised Ukrainian websites, including those catering to industrial equipment, retail tools, local services, and e-commerce. A suspected Russian espionage group named UNC6353 is assessed to be behind this campaign.

What makes this campaign particularly insidious is its targeted approach. The framework was delivered only to certain iPhone users from a specific geolocation, maximizing the impact while minimizing detection. The exploits deployed as part of this framework consisted of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the last of which is a use-after-free flaw in WebKit.

Interestingly, CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023. However, the security release notes were only updated to include an entry for the vulnerability on November 11, 2025, highlighting the challenges in keeping users informed about potential threats.

The Chinese Connection

The third time the JavaScript framework was detected in the wild was in December 2025, marking a significant shift in the threat landscape. A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience. This activity is attributed to a threat cluster tracked as UNC6691.

Unlike the Ukrainian campaign, this deployment was not constrained by any geolocation criteria. Once these websites were accessed via an iOS device, a hidden iFrame was injected to deliver the Coruna exploit kit containing CVE-2024-23222, potentially exposing any iPhone user who visited these malicious sites.

The Full Arsenal

Further analysis of the threat actor’s infrastructure led to the discovery of a debug version of the exploit kit, along with various samples covering five full iOS exploit chains. A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified, making Coruna one of the most comprehensive mobile exploit kits ever discovered.

Some of the notable CVEs exploited by the kit include:

• Photon and Gallium: Exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation, a sophisticated campaign that the Russian government claimed was the work of the U.S. National Security Agency in June 2023.

The Coruna exploit kit also embeds reusable modules to ease the exploitation of these vulnerabilities, making it a versatile and powerful tool in the hands of threat actors.

The Ultimate Payload

UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (also known as PLASMAGRID). This sophisticated malware is designed to decode QR codes from images and run additional modules retrieved from an external server, allowing it to exfiltrate cryptocurrency wallets or sensitive information from various apps like Base, Bitget Wallet, Exodus, and MetaMask, among others.

“The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond,” GTIG added. “The implant embeds a custom domain generation algorithm (DGA) using the string ‘lazarus’ as a seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as a TLD. The attackers use Google’s public DNS resolver to validate if the domains are active.”

This level of sophistication in the payload delivery mechanism demonstrates the advanced capabilities of the threat actors behind Coruna and their determination to maintain persistent access to compromised devices.

Protection Measures

A notable aspect of Coruna is that it skips execution on devices in Lockdown Mode or if the user is in private browsing. This suggests that Apple’s security features are proving effective against even the most sophisticated threats, providing users with some level of protection.

To counter the threat posed by Coruna and similar exploit kits, iPhone users are advised to keep their devices up to date with the latest iOS versions, as Apple continues to patch the vulnerabilities exploited by these toolkits. Additionally, enabling Lockdown Mode for enhanced security is recommended for users who may be at higher risk of targeted attacks.

The discovery of Coruna serves as a stark reminder of the evolving threat landscape in mobile security. As exploit kits become more sophisticated and widely available, the need for robust security measures and user awareness has never been greater. The cybersecurity community will undoubtedly be watching closely as more details about Coruna and its impact continue to emerge.

Tags: #iOSExploit #Coruna #CryptoWaters #GoogleThreatIntelligence #MobileSecurity #AppleVulnerabilities #ZeroDayExploits #CyberEspionage #MobileMalware #iPhoneSecurity #WebKitExploits #LockdownMode #CybersecurityThreat #DigitalWeapon #Spyware #ThreatActors #UNC6353 #UNC6691 #OperationTriangulation #PlasmaLoader #PLASMAGRID

Viral Sentences:

• “The most significant iOS exploit kit ever discovered”
• “From commercial surveillance to Chinese cybercriminals”
• “23 exploits targeting millions of iPhone users”
• “First observed mass exploitation against iOS devices”
• “Sophisticated spyware-grade capabilities in criminal hands”
• “WebKit vulnerabilities turned into digital weapons”
• “Lockdown Mode proves effective against advanced threats”
• “Cryptocurrency wallets at risk from sophisticated malware”
• “The dark market for second-hand zero-day exploits”
• “Government-backed tools now in criminal possession”

,