Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1

Google's Threat Intelligence Group has uncovered a sophisticated iOS exploit kit dubbed Coruna (also known as CryptoWaters) that represents one of the most comprehensive mobile surveillance frameworks ever discovered. The kit features five complete iOS exploit chains and a total of 23 exploits targeting Apple devices running iOS versions between 13.0 and 17.2.1.

From Commercial Surveillance to Criminal Operations

What makes Coruna particularly alarming is its journey through different threat actor ecosystems. Initially developed for commercial surveillance operations, the framework has since passed through government-backed attackers before landing in the hands of financially motivated Chinese threat actors by December 2025. This progression highlights an active secondary market for zero-day exploits where sophisticated capabilities rapidly proliferate beyond their original intended use.

Mobile security firm iVerify noted that Coruna bears similarities to frameworks previously linked to U.S. government-affiliated threat actors. The vendor emphasized that this represents "one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations."

Mass Exploitation Marks New Era for iOS Attacks

Perhaps most concerning is that Coruna marks the first observed instance of mass exploitation against iOS devices. This shift from highly targeted spyware attacks to broad deployment indicates a troubling evolution in mobile threat tactics. The framework's sophisticated design and comprehensive exploit coverage suggest it was built for widespread deployment rather than surgical strikes.

Google first detected fragments of the exploit chain in early 2025 when analyzing iOS exploits used by an unnamed surveillance company's customer. These components were integrated into a previously unseen JavaScript framework designed with remarkable sophistication.

Technical Architecture and Delivery Mechanisms

The JavaScript framework employs a multi-stage delivery approach that begins with device fingerprinting to verify the target is a real iPhone and determine its specific model and iOS version. Based on this fingerprint data, the framework loads the appropriate WebKit remote code execution (RCE) exploit, followed by executing a pointer authentication code (PAC) bypass.

One of the exploits, CVE-2024-23222, is a type confusion bug in WebKit that Apple patched in January 2024 with iOS 17.3 and iPadOS 17.3, as well as iOS 16.7.5 and iPadOS 16.7.5. The framework's modular design allows it to dynamically select and chain exploits based on the target device's characteristics.

Campaign Evolution and Attribution

Google observed the framework's deployment across three distinct campaigns:

February 2025: Initial capture of iOS exploit chain fragments used by commercial surveillance customers.

July 2025: Detection on "cdn.uacounter[.]com" domain loaded as hidden iFrames on compromised Ukrainian websites. This campaign targeted industrial equipment, retail tools, local services, and e-commerce sites, delivering exploits including CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000. The activity was attributed to suspected Russian espionage group UNC6353 and was geographically constrained to specific iPhone users.

December 2025: A cluster of fake Chinese financial websites were found delivering the exploit kit. Unlike the Ukrainian campaign, this deployment had no geolocation restrictions. The activity was attributed to threat cluster UNC6691, which weaponized the exploit to deliver a stager binary codenamed PlasmaLoader (also called PLASMAGRID).

The Exploit Arsenal

The Coruna framework contains exploits spanning iOS versions from 13 to 17.2.1:

• Neutron - CVE-2020-27932 (iOS 13.x)
• Dynamo - CVE-2020-27950 (iOS 13.x)
• buffout - CVE-2021-30952 (iOS 13 → 15.1.1)
• jacurutu - CVE-2022-48503 (iOS 15.2 → 15.5)
• IronLoader - CVE-2023-32409 (iOS 16.0 → 16.3.116.4.0)
• Photon - CVE-2023-32434 (iOS 14.5 → 15.7.6)
• Gallium - CVE-2023-38606 (iOS 14.x)
• Parallax - CVE-2023-41974 (iOS 16.4 → 16.7)
• terrorbird - CVE-2023-43000 (iOS 16.2 → 16.5.1)
• cassowary - CVE-2024-23222 (iOS 16.6 → 17.2.1)
• Sparrow - CVE-2024-23225 (iOS 17.0 → 17.3)
• Rocket - CVE-2024-23296 (iOS 17.1 → 17.4)

Google noted that Photon and Gallium exploit vulnerabilities previously used in Operation Triangulation, a campaign Russia attributed to the U.S. National Security Agency in June 2023.

Post-Exploitation Capabilities

Once deployed, the PlasmaLoader stager decodes QR codes from images and retrieves additional modules from external servers. This enables exfiltration of cryptocurrency wallets and sensitive information from apps including Base, Bitget Wallet, Exodus, and MetaMask. The implant features hard-coded command-and-control servers but includes fallback mechanisms using a custom domain generation algorithm seeded with "lazarus" to create predictable .xyz domains, which attackers validate using Google's public DNS resolver.

Security Implications and Mitigation

The Coruna framework demonstrates several sophisticated anti-detection features. It skips execution on devices in Lockdown Mode and avoids private browsing sessions. This suggests the attackers are aware of iOS security features and actively work to circumvent them.

For iPhone users, Google recommends keeping devices updated to the latest iOS version and enabling Lockdown Mode for enhanced security. The framework's ineffectiveness against the latest iOS versions underscores the importance of timely software updates.

Broader Context

The discovery of Coruna represents a significant escalation in mobile threat sophistication. The framework's journey from commercial surveillance to nation-state and criminal use demonstrates how zero-day exploits become democratized over time. Its mass deployment capabilities suggest we may be entering an era where sophisticated mobile spyware attacks are no longer limited to high-value targets but can be scaled to affect millions of users.

The proliferation of such capabilities raises serious questions about the commercial surveillance industry's role in enabling widespread surveillance and the challenges of containing advanced exploit technologies once they enter the wild.