Security researchers from Google Threat Intelligence Group have uncovered a powerful exploit kit called Coruna (also known as CryptoWaters) that uses 23 exploits across five complete attack chains to compromise Apple iPhones running iOS versions between 13.0 and 17.2.1. While the exploit kit does not work on the latest iOS versions, experts describe it as one of the most advanced iOS exploitation frameworks observed in the wild.
According to Google, the exploit kit contains a sophisticated infrastructure capable of automatically fingerprinting devices to identify the iPhone model and iOS version, allowing attackers to deploy the most suitable exploit chain.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.”
After collecting device information, the JavaScript framework launches a WebKit remote code execution (RCE) exploit, followed by a Pointer Authentication Code (PAC) bypass to gain deeper system access. One of the key vulnerabilities used is CVE-2024-23222, a WebKit type confusion flaw patched by Apple in January 2024 with iOS 17.3.
Researchers found that the Coruna exploit kit has circulated among multiple threat actors since February 2025. Initially, the toolkit appeared in commercial surveillance operations, later moving into nation-state cyber campaigns, and eventually reaching financially motivated cybercriminal groups linked to China. In July 2025, the exploit framework was detected on the domain cdn.uacounter[.]com, which was embedded as a hidden iframe on compromised Ukrainian websites related to industrial equipment, retail tools, and e-commerce platforms. The campaign has been attributed to a suspected Russian espionage group known as UNC6353. The exploit kit was selectively delivered only to iPhone users from specific geographic locations.
By late 2025, the exploit kit began appearing in financially motivated cybercrime campaigns. Researchers discovered a network of fake Chinese websites instructing visitors to open them using an iPhone or iPad for a better browsing experience. When accessed from an iOS device, the pages injected a hidden iframe delivering the Coruna exploit kit. A debug version of the framework revealed the complete toolkit containing 23 exploits targeting iOS versions from 13 to 17.2.1.
Some of the vulnerabilities used include:
CVE-2020-27932
CVE-2020-27950
CVE-2021-30952
CVE-2022-48503
CVE-2023-32409
CVE-2023-32434
CVE-2023-38606
CVE-2023-41974
CVE-2023-43000
CVE-2024-23222
CVE-2024-23225
CVE-2024-23296
Several of these vulnerabilities were previously exploited as zero-days during Operation Triangulation, highlighting the advanced nature of the toolkit. The Coruna exploit kit highlights a growing trend where advanced spyware-grade exploitation frameworks migrate from targeted intelligence operations into large-scale cybercriminal campaigns. This evolution significantly increases the risk for mobile users. Security experts strongly recommend keeping iOS devices updated and enabling Lockdown Mode for enhanced protection.
