An iOS exploit framework has revealed how superior cell assault instruments can transfer quickly from surveillance operations to espionage and monetary crime.
Google’s Risk Intelligence Group (GTIG) recognized Coruna, a robust exploit package containing 23 vulnerabilities throughout 5 exploit chains that have been used to compromise 1000’s of iPhones all through 2025.
“The core technical worth of this exploit package lies in its complete assortment of iOS exploits, with essentially the most superior ones utilizing private exploitation methods and mitigation bypasses,” the researchers stated.
Contained in the Coruna iOS exploit framework
In response to Google’s Risk Intelligence Group (GTIG), Coruna was able to focusing on Apple gadgets working iOS variations launched between September 2019 and December 2023.
Researchers uncovered the toolkit after a risk actor mistakenly deployed a debug model of the framework, inadvertently exposing inside code names and documentation embedded throughout the exploit package.
The invention offered uncommon perception into how the framework was structured and the way its exploit chains have been designed to focus on completely different iOS variations.
Monitoring Coruna throughout a number of risk actors
GTIG researchers have been additionally in a position to observe Coruna throughout three distinct threat-actor ecosystems all through 2025, providing an uncommon glimpse into how subtle exploit frameworks flow into throughout the cyber risk panorama.
In lots of circumstances, superior instruments initially developed for surveillance functions are later reused or repurposed by state-sponsored espionage teams and finally by financially motivated cybercriminals.
Coruna’s multi-stage assault marketing campaign
The earliest noticed exercise involving Coruna occurred in February 2025, when researchers recognized parts of an exploit chain delivered by a beforehand unknown JavaScript framework.
The code was designed to fingerprint visiting gadgets by figuring out the iPhone mannequin and put in iOS model earlier than delivering a tailor-made exploit.
As soon as a suitable goal was recognized, the framework triggered a WebKit distant code execution (RCE) vulnerability adopted by a Pointer Authentication Code (PAC) bypass, enabling attackers to execute malicious code on the gadget and advance additional alongside the exploitation chain.
By summer time 2025, the identical infrastructure appeared in campaigns linked to a Russian espionage group tracked as UNC6353.
On this part, attackers injected malicious code into dozens of compromised Ukrainian web sites spanning industries similar to retail, industrial companies, and e-commerce. The exploit chain was delivered by a hidden iFrame hosted on the area cdn.uacounter[.]com.
To cut back detection and improve focusing on precision, the exploit was selectively triggered just for iPhone customers positioned inside particular geographic areas.
In late 2025, researchers found the entire Coruna exploit package being utilized in a marketing campaign attributed to a financially motivated Chinese language risk group tracked as UNC6691. On this stage, attackers deployed the exploit throughout a community of fraudulent cryptocurrency and monetary web sites designed to lure victims to go to the pages on an iPhone.
One instance concerned a pretend web site impersonating the WEEX cryptocurrency change that displayed pop-up prompts encouraging customers to entry the platform on their cell gadgets to set off the exploit chain.
How the Coruna exploit package works
At its core, Coruna accommodates 23 exploits organized into 5 full assault chains, permitting attackers to progress from an preliminary browser compromise to full gadget management.
The framework combines a number of vulnerability lessons, together with WebKit memory-corruption flaws, sandbox-escape vulnerabilities, privilege-escalation methods, and Web page Safety Layer (PPL) bypasses that permit attackers to achieve deeper management over the working system.
Key vulnerabilities used within the exploit framework embody:
- CVE-2021-30952 – WebKit learn/write vulnerability
- CVE-2023-32409 – Sandbox escape vulnerability
- CVE-2023-32434 – Privilege escalation flaw
- CVE-2024-23222 and CVE-2024-23225 – Web page Safety Layer (PPL) bypass methods
Two exploits throughout the framework — Photon and Gallium — have been beforehand related to Operation Triangulation, the high-profile iOS espionage marketing campaign uncovered by Kaspersky in 2023.
Their reuse in Coruna demonstrates how risk actors typically mix beforehand found vulnerabilities with new exploitation methods to assemble extra superior and dependable assault frameworks.
How safety groups can cut back cell danger
As a result of the assault depends on a number of vulnerabilities, web-based supply, and post-exploitation information theft, efficient defenses require a layered cell safety technique.
- Guarantee all iPhones are up to date to the newest iOS model and implement computerized patching by cell gadget administration (MDM).
- Allow Apple Lockdown Mode on high-risk or govt gadgets, as Coruna terminates exploitation when this function is lively.
- Deploy cell risk protection (MTD) options built-in with MDM to detect exploit makes an attempt, suspicious habits, and anomalous community exercise.
- Monitor community site visitors for indicators of compromise, together with connections to suspicious *.xyz domains and weird HTTP headers similar to sdkv or x-ts.
- Limit entry to unverified monetary and cryptocurrency web sites, and restrict the set up of high-risk functions, similar to crypto wallets, on company gadgets.
- Harden enterprise iOS configurations by imposing app allowlists, limiting untrusted profiles, and limiting pointless gadget companies or sharing options.
- Recurrently take a look at incident response plans and cell safety playbooks to make sure groups can shortly detect, examine, and include cell gadget compromise.
By implementing these measures, organizations can restrict the potential blast radius of cell compromises whereas constructing resilience.
Editor’s observe: This text initially appeared on our sister web site, eSecurityPlanet.
