Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targets iOS 13–17.2.1
Google said it has identified a “new and powerful” exploit kit called Coruna (also known as CryptoWaters) which targets Apple iPhone models running iOS versions between 13.0 and 17.2.1.
The exploit kit has five full iOS chains and a total of 23 exploits, said the Google Threat Intelligence Group (GTIG). It doesn’t work when compared to the latest version of iOS. The findings were first reported by WIRED.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, which are highly advanced using non-public exploit techniques and passive mitigation techniques,” according to GTIG. “The framework around the exploit kit is very well designed; the exploit pieces are all naturally connected and assembled together using standard tools and exploit frameworks.”
The kit has been said to have been circulating among multiple terror actors since February 2025, from a commercial surveillance operation to a government-backed attacker, and finally, to a terror actor operating in China in December.
It is not yet known how the exploit kit changed hands, but the findings point to an active market for unused zero-day exploits, allowing other threat actors to repurpose them for their own purposes. In a related report, iVerify said the exploit kit has similarities to previous frameworks created by threat actors working with the US government.
“Coruna is one of the most significant examples we’ve seen of advanced spyware capabilities growing from commercial surveillance vendors into the hands of state actors and many criminals,” iVerify said.
The mobile security vendor said the use of a sophisticated exploit framework marks the largest exploit seen on iOS devices, indicating that spyware attacks are moving from highly targeted to widespread use.
Google said it first captured parts of the iOS used by an unnamed surveillance company client early last year, with an exploit linked to an unprecedented JavaScript framework. The framework is designed to fingerprint the device to determine its authenticity and collect information, including the specific iPhone model and iOS software version running.
The framework then loads the appropriate WebKit remote control code implementation (RCE) based on the fingerprint data, followed by using the pass-through pointer authentication code (PAC). The exploit in question is related to CVE-2024-23222, a type of confusion bug in WebKit that Apple patched in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.
Fast forward to July 2025, a similar JavaScript framework was found in the domain “cdn.uacounter[.]com,” which was uploaded as a hidden iFrame to compromised Ukrainian websites. These include websites that cater to industrial equipment, sales tools, local services, and e-commerce. A suspected Russian espionage group named UNC6353 is believed to be behind the campaign.
What’s interesting about this project is that the framework was only delivered to specific iPhone users from a specific location. Exploits used as part of the framework included CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the last of which is a post-free implementation bug in WebKit.
It is worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023. However, the security release notes were updated to include the vulnerability entry only on November 11, 2025.
The third time a JavaScript framework was found in the wild was in December 2025. A collection of fake Chinese websites, mostly related to finance, were found to be dumping an iOS exploit kit, while urging users to visit them from an iPhone or iPad for a better user experience. The activity was created by a threat cluster tracked as UNC6691.
Once these websites are accessed via an iOS device, a hidden iFrame is injected to deliver the Coruna exploit kit containing CVE-2024-23222. The delivery of the exploit, in this case, was not prevented by any positioning method.
Further analysis of the threat actor’s infrastructure led to the discovery of a debug version of the exploit kit, as well as various samples covering five full iOS chains. A total of 23 exploits covering versions from iOS 13 to iOS 17.2.1 have been identified.
Some of the CVEs exploited by the kit and the corresponding iOS versions they target are listed below –
“Photon and Gallium exploit vulnerabilities that were previously exploited as zero-days as part of Operation Triangulation,” Google said. “The Coruna exploit kit also embeds reusable modules to mitigate exploits of the aforementioned vulnerabilities.”
In December 2023, the Russian government claimed that the operation was the work of the US National Security Agency, accusing it of hacking “several thousand” Apple devices belonging to domestic subscribers and foreign embassies as part of an “exploratory operation.”
UNC6691 has been noticed to equip an exploit to deliver a platform with a binary code that is PlasmaLoader (also known as PLASMAGRID) designed to record QR codes on images and use additional modules downloaded from an external server, allowing it to extract crypto wallets or sensitive information from various applications such as Base, Bitget Wallet, Exodus, Exodus and others.
“The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers become unresponsive,” GTIG added. “The exploit embeds a domain customization algorithm (DGA) using the string ‘lazarus’ as a seed to generate a list of predictable domains. The domains will be 15 characters long and use .xyz as the TLD. The attackers use Google’s public DNS resolver to verify if the domains are valid.”
A notable feature of Coruna is that it skips being used on devices in locked mode, or when the user is in private browsing. To combat the threat, iPhone users are advised to keep their devices up-to-date, and enable Lock Mode for enhanced security.
