top of page
Search

Coruna iOS Exploit Kit Targeting iOS 13-17.2.1

  • Mar 5
  • 2 min read

Key Findings


  • Google's Threat Intelligence Group (GTIG) identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters)

  • The kit targets Apple iPhones running iOS versions 13.0 through 17.2.1

  • It includes five full exploit chains and a total of 23 exploits

  • The kit is highly effective against the targeted iOS versions, but is ineffective against the latest iOS release


Background


  • GTIG first captured parts of an iOS exploit chain used by a customer of a surveillance company in February 2025

  • The exploits were integrated into a previously unseen JavaScript framework that used simple but unique obfuscation techniques

  • The framework was designed to fingerprint the device, detect the specific iPhone model and iOS version, and then load the appropriate WebKit remote code execution (RCE) exploit and pointer authentication code (PAC) bypass


Ukrainian Watering Hole Attacks


  • In July 2025, the same JavaScript framework was detected on the domain "cdn.uacounter[.]com", which was loaded as a hidden iFrame on compromised Ukrainian websites

  • The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000

  • The activity was assessed to be linked to a suspected Russian espionage group named UNC6353


Broad-scale Attacks by Chinese Threat Actor


  • In December 2025, the Coruna exploit kit was detected on a cluster of fake Chinese websites, most of them related to finance

  • The activity is attributed to a threat cluster tracked as UNC6691

  • Once the websites were accessed via an iOS device, a hidden iFrame was injected to deliver the Coruna exploit kit containing CVE-2024-23222


Exploit Chains and CVEs


  • The Coruna exploit kit includes a total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1

  • Some of the CVEs exploited by the kit and the corresponding iOS versions they targeted are:

  • Neutron - CVE-2020-27932 (versions 13.x)

  • Dynamo - CVE-2020-27950 (versions 13.x)

  • buffout - CVE-2021-30952 (versions 13 → 15.1.1)

  • jacurutu - CVE-2022-48503 (versions 15.2 → 15.5)

  • IronLoader - CVE-2023-32409 (versions 16.0 → 16.3.116.4.0)

  • Photon - CVE-2023-32434 (versions 14.5 → 15.7.6)

  • Gallium - CVE-2023-38606 (versions 14.x)

  • Parallax - CVE-2023-41974 (versions 16.4 → 16.7)

  • terrorbird - CVE-2023-43000 (versions 16.2 → 16.5.1)

  • cassowary - CVE-2024-23222 (versions 16.6 → 17.2.1)


Conclusion


The Coruna exploit kit is a highly sophisticated and comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. The framework surrounding the exploit kit is extremely well engineered, allowing multiple threat actors to reuse and adapt these advanced techniques for new vulnerabilities. The findings highlight the active market for second-hand zero-day exploits and the shift from highly targeted spyware attacks to broad-scale exploitation of iOS devices.


Sources


  • https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

  • https://securityaffairs.com/188928/security/google-uncovers-coruna-ios-exploit-kit-targeting-ios-13-17-2-1.html

  • https://x.com/ScyScan/status/2029369477192925536

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page