A powerful exploit framework called Coruna iOS Exploit Kit has been discovered targeting Apple iPhones running iOS versions 13.0 through 17.2.1. According to researchers from Google’s Google Threat Intelligence Group (GTIG), the exploit kit contains 23 different vulnerabilities organized into five complete exploit chains, making it one of the most advanced iOS attack tools observed in recent years.
Security experts say the toolkit, also known as CryptoWaters, is not effective against the latest versions of iOS. However, it poses a serious risk to millions of devices still running older versions of the operating system.
The discovery highlights a growing cybersecurity concern: advanced spyware and surveillance tools are increasingly being reused and circulated among different threat actors, including nation-state attackers and financially motivated cybercriminals.
The Coruna exploit kit is a sophisticated framework designed to exploit multiple vulnerabilities in Apple’s iOS operating system. Researchers found that it includes five full exploit chains and 23 individual exploits capable of attacking iPhones running various versions of iOS.
Unlike traditional malware, this exploit kit is highly structured and engineered, combining multiple attack techniques into a single system. According to GTIG, the toolkit integrates several non-public exploitation techniques and advanced mitigation bypass methods that allow attackers to bypass Apple’s built-in security protections.
The framework connects all the exploit components through a shared infrastructure, allowing threat actors to easily deploy different exploits depending on the victim’s device configuration.
The attack begins with a custom JavaScript framework designed to collect information about the target device. When a victim visits a compromised website, the framework performs device fingerprinting to determine whether the visitor is using an iPhone or iPad.
The script collects important details such as:
Device model
iOS version
Browser environment
Security settings
Once the system confirms that the device is a real iPhone and identifies its operating system version, it loads the appropriate WebKit remote code execution (RCE) exploit.
Many of these attacks rely on vulnerabilities in WebKit, the browser engine used by Apple’s Safari browser.
One key vulnerability exploited by the toolkit is CVE-2024-23222, a type confusion bug that could allow attackers to execute malicious code remotely. Apple patched this vulnerability in January 2024 through updates to iOS 17.3 and related versions.
After executing the WebKit exploit, the attack chain continues with additional techniques such as Pointer Authentication Code (PAC) bypass, allowing attackers to gain deeper control over the device.
Researchers found that the exploit kit changed hands multiple times during 2025, demonstrating the existence of a thriving market for high-end cyberattack tools.
According to GTIG, the toolkit followed this path:
Early 2025: Used by a commercial surveillance vendor
Mid 2025: Acquired by a government-backed threat actor
Late 2025: Used by financially motivated cybercriminals operating from China
Although the exact method of transfer remains unknown, the findings suggest that second-hand zero-day exploit markets are becoming more active, enabling multiple attackers to reuse the same vulnerabilities.
Security company iVerify described Coruna as one of the clearest examples of spyware-grade capabilities moving from surveillance companies to nation-state actors and eventually criminal groups.
In July 2025, researchers observed the exploit framework being distributed through compromised websites hosted on the domain cdn.uacounter[.]com.
The malicious code was injected into legitimate Ukrainian websites related to:
Industrial equipment
Retail tools
Local services
E-commerce platforms
Visitors accessing these websites from an iPhone unknowingly triggered a hidden iFrame, which loaded the exploit framework.
The campaign is believed to be linked to a suspected Russian espionage group tracked as UNC6353.
Interestingly, the exploit was only delivered to selected iPhone users located in specific geographic regions, indicating highly targeted attacks.
Another wave of attacks appeared in December 2025, when researchers discovered a network of fake Chinese websites designed to deliver the Coruna exploit kit.
These websites mostly focused on financial services and investment platforms. They encouraged visitors to open the pages using an iPhone or iPad for a “better user experience.”
Once the victim visited the site using an iOS device, the page injected a hidden iFrame that loaded the exploit kit.
This campaign is linked to a threat cluster identified as UNC6691.
Unlike the earlier campaign, these attacks did not restrict victims based on geographic location, allowing wider distribution of the exploit kit.
After successfully exploiting the device, attackers deploy a malware loader known as PlasmaLoader, also called PLASMAGRID.
This malicious program can:
Decode QR codes embedded in images
Download additional malware modules
Communicate with remote command-and-control servers
The malware is capable of stealing sensitive information, including cryptocurrency wallets and private data from popular crypto applications such as:
Base
Bitget Wallet
Exodus
MetaMask
PlasmaLoader also contains a Domain Generation Algorithm (DGA) that automatically generates backup command-and-control domains if the primary servers become unavailable.
Researchers discovered 23 vulnerabilities inside the exploit kit targeting multiple iOS versions. Some of the most notable include:
Neutron – CVE-2020-27932 (iOS 13)
Dynamo – CVE-2020-27950 (iOS 13)
Buffout – CVE-2021-30952 (iOS 13 to 15.1.1)
Jacurutu – CVE-2022-48503 (iOS 15.2 to 15.5)
IronLoader – CVE-2023-32409 (iOS 16)
Photon – CVE-2023-32434
Gallium – CVE-2023-38606
Parallax – CVE-2023-41974
Terrorbird – CVE-2023-43000
Cassowary – CVE-2024-23222
Sparrow – CVE-2024-23225
Rocket – CVE-2024-23296
Some vulnerabilities used in the toolkit were also previously linked to Operation Triangulation, a large-scale iPhone espionage campaign.
Despite the sophistication of the Coruna exploit kit, there are several ways users can reduce their risk.
Security experts recommend the following steps:
Update your iPhone regularly to the latest iOS version
Enable Lockdown Mode, which blocks advanced spyware attacks
Avoid visiting suspicious or unknown websites
Keep Safari and system apps updated
Interestingly, researchers observed that the Coruna exploit kit does not execute on devices using Lockdown Mode or private browsing, suggesting Apple’s security features can significantly reduce risk.
The discovery of the Coruna exploit kit shows how advanced mobile attack tools are evolving quickly. Tools once used only for targeted espionage are now appearing in broader cybercrime campaigns.
As attackers continue to reuse and resell exploit frameworks, keeping devices updated and practicing safe browsing habits will remain critical for protecting personal data and digital assets.
Interesting Article : Critical VMware Aria Operations Vulnerability Exploited: CVE-2026-22719