Google’s Threat Intelligence Group (GTIG) has disclosed a highly sophisticated iOS exploit kit known as Coruna (also referenced as CryptoWaters), targeting iPhone and iPad devices from iOS 13.0 up to iOS 17.2.1. The framework comprises five complete exploit chains and 23 distinct vulnerabilities. While current iOS releases are no longer vulnerable to Coruna’s known exploits, the scale, quality and reuse of this toolkit across both espionage and criminal campaigns raise significant concerns for mobile security.
Architecture of the Coruna iOS Exploit Kit and Core Attack Techniques
According to GTIG, Coruna is designed as a modular exploitation framework rather than a single exploit. Individual vulnerabilities are wrapped in shared utilities and libraries, allowing operators to assemble tailored exploit chains for different iOS versions and device models.
Attacks start with the execution of JavaScript in the victim’s browser. The script fingerprints the device, determining the exact iPhone model and iOS version, then delivers a matching WebKit remote code execution (RCE) exploit. WebKit is the browser engine behind Safari and many embedded iOS browsers, making it a high‑value target for attackers seeking code execution through a single visit to a malicious or compromised website.
Once initial code execution is achieved, Coruna employs advanced modules to bypass Pointer Authentication Code (PAC), a hardware-backed protection introduced by Apple to prevent pointer manipulation and make memory exploitation more difficult. By defeating PAC, attackers can reliably pivot from a browser exploit towards deeper system compromise.
One of the key vulnerabilities targeted is CVE-2024-23222, a type confusion flaw in WebKit. Apple patched this bug in iOS 17.3 (January 2024). Its inclusion in Coruna illustrates how quickly high-end exploit developers weaponize WebKit bugs and underscores the critical importance of timely iOS and Safari updates.
GTIG’s analysis shows that Coruna offers operators a complete kill chain: WebKit RCE, PAC bypass, sandbox escape, kernel-level privilege escalation and bypass of the Page Protection Layer (PPL), an internal mechanism designed to protect critical kernel memory regions. The exploits are extensively documented with docstrings and English-language comments, a hallmark of commercial-grade tooling rather than ad-hoc “homebrew” malware.
From Commercial Spyware Vendor to Second-Hand Zero-Day Market
GTIG first observed Coruna in February 2025 within the infrastructure of a commercial spyware provider. Over time, the same exploit kit appeared in operations attributed to groups likely linked to state entities, and by December 2025 it had been adopted by a financially motivated threat actor based in China.
This trajectory supports the hypothesis of an informal “second-hand zero-day market”, where previously exclusive exploits, including those built for government customers, are later resold or leaked to other actors. Security company iVerify has highlighted Coruna as a clear example of how commercial spyware capabilities can escape initial control and ultimately fuel broader criminal activity.
Targeted Web Attacks on Ukraine and Chinese Cryptocurrency Users
Compromised Ukrainian Websites and Targeted iOS Espionage
In July 2025, the same JavaScript framework used by Coruna was identified on cdn.uacounter[.]com. The exploit kit was injected via hidden iFrames into compromised Ukrainian websites, including e-commerce portals, industrial equipment suppliers and local service platforms. GTIG attributes this campaign to a likely Russian-speaking espionage group tracked as UNC6353.
Coruna was delivered in a highly selective manner: only certain iPhone users were targeted based on geolocation and additional profiling criteria. This level of discrimination is typical of modern intelligence-driven operations, where high-value targets are quietly compromised while the broader user base remains unaffected, reducing the chance of discovery.
Fake Chinese Crypto and Finance Sites Used for Wallet Theft
By December 2025, Coruna resurfaced on numerous fraudulent Chinese financial and cryptocurrency websites. Visitors were urged to access the sites from an iPhone or iPad “for the best experience”. Once on mobile Safari, a hidden iFrame silently loaded the Coruna exploit kit. This activity is associated with the financially motivated group UNC6691.
The final stage of these attacks deployed a loader dubbed PlasmaLoader (also known as PlasmaGrid). The loader injected itself into the legitimate system process powerd, hindering detection, and then fetched plug-ins built to steal cryptocurrency wallets such as MetaMask, Phantom, Exodus, BitKeep and others. The malware harvested seed phrases, data from Apple Memos and additional sensitive information, encrypted it with AES, and exfiltrated it to attacker-controlled servers.
For resilience, PlasmaLoader implemented a Domain Generation Algorithm (DGA), using the string “lazarus” to generate numerous .xyz domains. DGAs make it difficult for defenders to fully dismantle command-and-control infrastructure because infected devices can continually discover fresh domains as older ones are blocked or taken down.
Links to Operation Triangulation and Strategic Impact
Among Coruna’s 23 exploits, researchers identified modules abusing CVE-2023-32434 and CVE-2023-38606, vulnerabilities previously documented in Operation Triangulation by Kaspersky. However, Kaspersky reports no clear evidence of direct source-code reuse and sees no basis to attribute Coruna’s authorship to the Operation Triangulation operators. This suggests that multiple advanced actors had access to, or independently developed, exploit capabilities for the same iOS bugs.
Defensive Takeaways for iOS Users and Organizations
GTIG notes that Coruna’s chains do not successfully execute on devices with Lockdown Mode enabled or when using the private browsing mode in Safari. Lockdown Mode aggressively reduces the attack surface by disabling many rich-content features, while private browsing restricts persistent state and cross-site tracking data. Although these modes reduce usability, they demonstrably hinder complex exploit kits such as Coruna.
On 5 March 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three Coruna-related bugs—CVE-2021-30952, CVE-2023-41974 and CVE-2023-43000—to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to apply patches no later than 26 March 2026. Inclusion in KEV signals that a vulnerability is actively exploited in the wild and should be prioritized in patch management programs globally.
For individual iOS users, essential measures include installing iOS and Safari updates as soon as they are released, considering Lockdown Mode when facing elevated risk (journalists, activists, executives), limiting browsing to trusted websites, using only official app stores, and keeping cryptocurrency wallet seed phrases strictly offline (hardware wallets or secure physical backups).
For organizations, mitigating threats like Coruna requires a structured vulnerability management process, continuous monitoring of mobile device activity via MDM and security telemetry, and rapid response to advisories from CISA, Apple and major threat intelligence vendors. Coruna vividly illustrates how the convergence of commercial spyware, zero-day markets and cryptocurrency-focused cybercrime is reshaping the risk landscape for iOS. Continual patching, hardening high-risk users and investing in mobile threat detection are now indispensable steps to limit the window of opportunity for similar exploit kits.
