Google said it identified a “new and powerful” exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It’s not effective against the latest version of iOS. The findings were first reported by WIRED.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,” according to GTIG. “The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.”
The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December.
It’s currently not known how the exploit kit changed hands, but the findings point to an active market for second-hand zero-day exploits, allowing other threat actors to reuse them for their own objectives. In a related report, iVerify said the exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.
“Coruna is one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations,” iVerify said.
The mobile security vendor said the use of the sophisticated exploit framework marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment.
Google said it first captured parts of an iOS exploit chain used by a customer of an unnamed surveillance company early last year, with the exploits integrated into a never-before-seen JavaScript framework. The framework is designed to fingerprint the device to determine if it’s real and gather details, including the specific iPhone model and iOS software version it is running.
The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by executing a pointer authentication code (PAC) bypass. The exploit in question relates to CVE-2024-23222, a type confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.
Fast forward to July 2025, the same JavaScript framework was detected on the domain “cdn.uacounter[.]com,” which was loaded as a hidden iFrame on compromised Ukrainian websites. This included websites catering to industrial equipment, retail tools, local services, and e-commerce. A suspected Russian espionage group named UNC6353 is assessed to be behind the campaign.
What’s interesting about the activity was that the framework was delivered only to certain iPhone users from a specific geolocation. The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the last of which is a use-after-free flaw in WebKit.
It’s worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023. However, the security release notes were updated to include an entry for the vulnerability only on November 11, 2025.
The third time the JavaScript framework was detected in the wild was in December 2025. A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience. The activity is attributed to a threat cluster tracked as UNC6691.
Once these websites are accessed via an iOS device, a hidden iFrame is injected to deliver the Coruna exploit kit containing CVE-2024-23222. The exploit delivery, in this case, was not constrained by any geolocation criteria.
Further analysis of the threat actor’s infrastructure led to the discovery of a debug version of the exploit kit, along with various samples covering five full iOS exploit chains. A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified.
Some of the CVEs exploited by the kit and the corresponding iOS versions they targeted are listed below –
“Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation,” Google said. “The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities.”
In June 2023, the Russian government claimed the campaign was the work of the U.S. National Security Agency, accusing it of hacking “several thousand” Apple devices belonging to domestic subscribers and foreign diplomats as part of a “reconnaissance operation.”
UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that’s designed to decode QR codes from images and run additional modules retrieved from an external server, allowing it to exfiltrate cryptocurrency wallets or sensitive information from various apps like Base, Bitget Wallet, Exodus, and MetaMask, among others.
“The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond,” GTIG added. “The implant embeds a custom domain generation algorithm (DGA) using the string ‘lazarus’ as a seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as a TLD. The attackers use Google’s public DNS resolver to validate if the domains are active.”
A notable aspect of Coruna is that it skips execution on devices in Lockdown Mode, or if the user is in private browsing. To counter the threat, iPhone users are advised to keep their devices up to date, and enable Lockdown Mode for enhanced security.
