A significant development in cybersecurity has emerged, revealing that a sophisticated iOS exploit kit known as "Coruna" has been transferring among various threat actors over the past year. This kit has traveled a trajectory from a commercial surveillance entity to associations with state-sponsored espionage, ultimately landing in the hands of financially driven hackers. This information comes from an extensive investigation conducted by Google’s Threat Intelligence Group (GTIG).
The Coruna exploit kit is notably powerful, containing five complete exploit chains and a total of 23 different exploits. GTIG analysts highlight that the exploit list encompasses vulnerabilities tracked under Common Vulnerabilities and Exposures (CVE) and some flaws that lack CVE identifiers. The ongoing exploration undertaken by GTIG may lead to updates regarding the assignment of these vulnerabilities within CVE frameworks.
The vulnerabilities exploited by this kit facilitate immense risks, including remote code execution and evasion from sandbox environments. This is made possible through the manipulation of common web content, taking advantage of issues within WebKit’s memory management and other integral components of web browsers.
Among the officially recognized CVEs that are included in the Coruna exploit kit are:
- CVE-2024-23222, a WebKit vulnerability exploited as a zero-day, which was patched in early 2024.
- CVE-2022-48503, a WebKit flaw that was incorporated into the CISA’s Known Exploited Vulnerabilities catalog in October 2025.
- CVE-2023-43000, which was rectified in Safari 16.6 and iOS 16.6 in November 2025.
- CVE-2023-38606 and CVE-2023-32434, both of which were zero-day exploits associated with Operation Triangulation and identified by Kaspersky in 2023.
- CVE-2023-32409, a WebKit flaw also exploited as a zero-day vulnerability.
Unmasking the Coruna iOS Exploit Kit
The vulnerabilities utilized by the Coruna exploit kit are primarily older issues, with most, if not all, having been rectified over time. The kit’s capability appears to extend, albeit with varying degrees of reliability, from targeting iPhone models operating on iOS 13.0, which debuted in September 2019, to those using iOS 17.2.1, launched in December 2023.
Google’s threat researchers first detected the kit in February 2025 being utilized by a client of a surveillance firm. Its use persisted into July 2025, evident in watering hole attacks perpetrated by a suspected Russian espionage group targeting Ukrainian websites. By December 2025, it became prominent through fraudulent Chinese gambling and cryptocurrency platforms.
The researchers successfully retrieved the entirety of the exploit kit along with its obfuscated exploits. A notable breakthrough occurred when the actor deployed a debug version of the kit, revealing critical information regarding the names of the exploits and the exploit kit itself.
Moreover, the analysis unveiled a stager binary intended for delivery via scam gambling websites. This malicious payload has features capable of decoding QR codes from images stored on devices, searching for sensitive terms such as "backup phrase" or "bank account", and enabling additional modules that can extract cryptocurrency wallets or sensitive data from various crypto wallet applications.
The Continuing Mystery of Coruna’s Proliferation
According to the researchers, “the core technical value of this exploit kit lies in its comprehensive collection of iOS exploits.” They elaborated that the exploits are accompanied by extensive documentation, including comments and docstrings written in native English. Some of the more advanced exploits utilize non-public exploitation strategies and bypass methods for established security measures.
Despite the detailed investigation, the exact route through which Coruna transitioned into such varied hands remains ambiguous. This uncertainty suggests the existence of a bustling marketplace for "second-hand" zero-day vulnerabilities, highlighting a disturbing trend in the cybersecurity landscape.
Importantly, GTIG emphasized that Coruna is ineffective against the latest iterations of iOS and strongly recommended users to upgrade to the most recent version. For those whose iPhones remain on older versions and cannot be promptly updated, implementing Lockdown Mode or utilizing private browsing could effectively thwart the kit’s execution. Coruna is known to perform checks to prevent its activation under such defensive settings.
The evolving picture surrounding the Coruna exploit kit underscores the ever-present challenges faced by technology users in an increasingly digitized world. As threats evolve, vigilance and proactive defense measures remain paramount to safeguarding sensitive information and maintaining cybersecurity integrity.