Google announced that it has identified a “new and powerful” exploit kit called Coruna (also known as CryptoWaters) targeting Apple iPhone models running iOS versions 13.0 through 17.2.1.
According to the Google Threat Intelligence Group (GTIG), the exploit kit included five complete iOS exploit chains and a total of 23 exploits. It has no effect on the latest versions of iOS. The findings were first reported by WIRED.
According to GTIG, “The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, the most advanced of which use private exploit techniques and mitigation bypasses.” “The framework surrounding the exploit kit is very well designed. The exploit parts are all naturally connected and combined using common utilities and exploit frameworks.”
The kit is said to have circulated among multiple threat actors since February 2025, moving from commercial surveillance operations to government-sponsored actors, and finally to financially motivated actors based in China by December.
Although it is currently unknown how the exploit kits ended up in the hands of the attackers, our findings indicate that there is an active market for second-hand zero-day exploits that can be reused by other threat actors for their own purposes. In a related report, iVerify said the exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.
“Coruna is one of the most significant examples we’ve seen of advanced spyware-grade capabilities moving from commercial surveillance vendors into the hands of nation-state actors and ultimately into large-scale criminal operations,” iVerify said.
The mobile security vendor said the use of this sophisticated exploit framework marks the first high volume of exploits observed against iOS devices and signals that spyware attacks are moving from highly targeted to widespread deployment.
Google said it first captured part of an iOS exploit chain used by a customer of an anonymous monitoring company early last year, and that the exploit was integrated into a JavaScript framework never seen before. The framework is designed to fingerprint a device to determine if it’s genuine and collect details such as the specific iPhone model and the version of iOS software it’s running.
The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by Pointer Authentication Code (PAC) bypass. The exploit in question is related to CVE-2024-23222, a type confusion bug in WebKit that was patched by Apple in January 2024 in iOS 17.3 and iPadOS 17.3, iOS 16.7.5 and iPadOS 16.7.5.
Back in July 2025, the same JavaScript framework was detected in the domain ‘cdn.uacounter’.[.]com” was loaded as a hidden iFrame on a compromised Ukrainian website. This included websites featuring industrial equipment, retail tools, local services, and e-commerce. A Russian spy group named UNC6353 is believed to be behind this campaign.
What’s interesting about this activity is that the framework was only distributed to specific iPhone users from specific geolocations. The exploits introduced as part of the framework consist of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the last of which is a use-after-free flaw in WebKit.
It is worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6 released in July 2023. However, the security release notes were updated to include an entry regarding this vulnerability only on November 11, 2025.
The third time the JavaScript framework was actually detected was in December 2025. A series of fake Chinese websites, most of them financial-related, were found to drop iOS exploit kits after instructing users to access them from an iPhone or iPad for a better user experience. This activity can be attributed to the threat cluster tracked as UNC6691.
When these websites are accessed via an iOS device, a hidden iFrame is inserted and the Coruna exploit kit containing CVE-2024-23222 is delivered. In this case, the distribution of the exploit was not restricted by geolocation criteria.
Further analysis of the threat actor’s infrastructure revealed a debug version of the exploit kit, along with various samples covering five complete iOS exploit chains. A total of 23 exploits have been identified, spanning versions from iOS 13 to iOS 17.2.1.
Some of the CVEs exploited by this kit and their corresponding iOS versions are listed below.
“Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation,” Google said. “The Coruna exploit kit also includes reusable modules that facilitate exploitation of the aforementioned vulnerabilities.”
In June 2023, the Russian government claimed the campaign was the work of the U.S. National Security Agency, accusing the agency of hacking “thousands” of Apple devices owned by domestic subscribers and diplomats as part of “reconnaissance operations.”
UNC6691 has been observed weaponizing this exploit to distribute a stager binary codenamed PlasmaLoader (also known as PLASMAGRID), which is designed to decode QR codes from images and execute additional modules retrieved from external servers, allowing it to steal cryptocurrency wallets and sensitive information from various apps such as Base, Bitget Wallet, Exodus, and MetaMask.
“The implant includes a hard-coded list of C2s, but has a fallback mechanism in case the server is unresponsive,” GTIG added. “This implant embeds a custom domain generation algorithm (DGA) that uses the string “lazarus” as a seed to generate a list of predictable domains. The domain is 15 characters long and uses .xyz as the TLD. Attackers use Google’s public DNS resolver to verify whether a domain is active. ”
What’s notable about Coruna is that it skips running on the device if it’s in lockdown mode or if the user is in private browsing. To combat this threat, iPhone users are advised to keep their devices updated and enable lockdown mode for added security.
Source link
