A potent iOS exploit kit has been identified by Google’s Threat Intelligence Group (GTIG) as it transitioned through various threat actor groups over the past year. Initially emerging from a commercial surveillance operation, it has since been linked to state-sponsored espionage and ultimately fallen into the hands of financially motivated hackers.
The exploit kit, dubbed 'Coruna' by its creators, comprises five complete iOS exploit chains and features a total of 23 distinct exploits.
The vulnerabilities include both those tracked by Common Vulnerabilities and Exposures (CVE) and several flaws that have not received CVE identifiers. GTIG analysts indicate that ongoing investigations may lead to updates in CVE associations.
These vulnerabilities allow for remote code execution and sandbox escapes by exploiting weaknesses in WebKit’s memory management and other browser subsystems.
Some of the notable CVEs included in this exploit kit are:
- CVE-2024-23222: A WebKit flaw that was exploited as a zero-day and subsequently patched in early 2024.
- CVE-2022-48503: A WebKit vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog in October 2025.
- CVE-2023-43000: This flaw was fixed in Safari 16.6 and iOS 16.6 in November 2025.
- CVE-2023-38606 and CVE-2023-32434: Both were used as zero-days during Operation Triangulation, which was uncovered by Kaspersky in 2023.
- CVE-2023-32409: A WebKit vulnerability that was exploited as a zero-day.
Unveiling the Coruna Exploit Kit
The vulnerabilities utilized by the Coruna exploit kit are primarily older issues, most of which have been addressed in subsequent updates.
This exploit kit has demonstrated the ability to target iPhone models operating on iOS versions ranging from 13.0, released in September 2019, to 17.2.1, which was launched in December 2023.
GTIG first noticed its use in February 2025 by a client of a surveillance firm. The kit was later observed in July 2025 during watering hole attacks conducted by a suspected Russian espionage group targeting Ukrainian websites. By December 2025, it was also seen being deployed through fraudulent Chinese gambling and cryptocurrency websites.
Researchers were able to retrieve the entire exploit kit along with all of its obfuscated exploits. In one instance, a debug version of the kit revealed the exploits’ code names and the kit’s title.
Furthermore, they analyzed the stager binary intended to be delivered through the scam gambling sites. This malicious payload has the capability to decode QR codes from image files on the device, search for sensitive keywords such as “backup phrase” or “bank account,” and execute additional modules that could extract cryptocurrency wallets or other sensitive information from various crypto-wallet applications like Metamask and BitKeep.
The Mystery of Coruna's Proliferation
The core technical significance of this exploit kit lies in its extensive collection of iOS exploits, as highlighted by the researchers.
They noted that the exploits come with thorough documentation, including comments and docstrings written in fluent English. Many of the sophisticated exploits utilize non-public techniques to bypass existing mitigations.
While the precise means by which this kit has been adopted by a diverse array of threat actors remains unclear, researchers suggest that there is an active market for “second-hand” zero-day exploits.
It has been confirmed that Coruna is ineffective against the latest iOS version, and users are strongly encouraged to upgrade their devices.
For those who are unable to upgrade, putting the device into Lockdown Mode or using private browsing can provide a level of protection, as Coruna checks for these defensive configurations before executing.
UPDATE (March 4, 2026, 06:10 a.m. ET):
iVerify researchers have also examined the exploit kit, as it was employed by Chinese cybercriminals, and have provided guidance on detecting infections triggered by Coruna.
Unlike conventional spyware designed for targeted surveillance, this recent campaign indicates a shift towards broader deployment aimed at regular iPhone users.
According to the company, “Anyone who visited a website with a vulnerable iOS version could potentially become infected.”
Co-founder Rocky Cole has also indicated that they believe the exploit chain shares similarities with frameworks previously developed by threat actors linked to the U.S. government.
