Google stated it recognized a “new and powerful” exploit package dubbed Coruna (aka CryptoWaters) focusing on Apple iPhone fashions working iOS variations between 13.0 and 17.2.1.
The exploit package featured 5 full iOS exploit chains and a complete of 23 exploits, Google Menace Intelligence Group (GTIG) stated. It isn’t efficient towards the most recent model of iOS. The findings had been first reported by WIRED.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,” in line with GTIG. “The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.”
The package is claimed to have circulated amongst a number of risk actors since February 2025, transferring from a business surveillance operation to a government-backed attacker, and eventually, to a financially motivated risk actor working from China by December.
It is at the moment not identified how the exploit package modified arms, however the findings level to an energetic marketplace for second-hand zero-day exploits, permitting different risk actors to reuse them for their very own goals. In a associated report, iVerify stated the exploit package is similar to earlier frameworks developed by risk actors affiliated with the U.S. authorities.
“Coruna is one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations,” iVerify stated.
The cell safety vendor stated the usage of the subtle exploit framework marks the primary noticed mass exploitation towards iOS gadgets, indicating that spyware and adware assaults are shifting from being extremely focused to broad deployment.
Google stated it first captured elements of an iOS exploit chain utilized by a buyer of an unnamed surveillance firm early final 12 months, with the exploits built-in right into a never-before-seen JavaScript framework. The framework is designed to fingerprint the system to find out if it is actual and collect particulars, together with the particular iPhone mannequin and iOS software program model it’s working.
The framework then masses the suitable WebKit distant code execution (RCE) exploit based mostly on the fingerprint information, adopted by executing a pointer authentication code (PAC) bypass. The exploit in query pertains to CVE-2024-23222, a sort confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.
Quick ahead to July 2025, the identical JavaScript framework was detected on the area “cdn.uacounter[.]com,” which was loaded as a hidden iFrame on compromised Ukrainian web sites. This included web sites catering to industrial gear, retail instruments, native companies, and e-commerce. A suspected Russian espionage group named UNC6353 is assessed to be behind the marketing campaign.
What’s attention-grabbing in regards to the exercise was that the framework was delivered solely to sure iPhone customers from a particular geolocation. The exploits deployed as a part of the framework consisted of CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, the final of which is a use-after-free flaw in WebKit.
It is price noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, launched in July 2023. Nonetheless, the safety launch notes had been up to date to incorporate an entry for the vulnerability solely on November 11, 2025.
The third time a JavaScript framework was detected within the wild was in December 2025. A cluster of pretend Chinese language web sites, most of them associated to finance, had been discovered to drop the iOS exploit package, whereas urging customers to go to them from an iPhone or iPad for a greater consumer expertise. The exercise is attributed to a risk cluster tracked as UNC6691.
As soon as these web sites are accessed by way of an iOS system, a hidden iFrame is injected to ship the Coruna exploit package containing CVE-2024-23222. The exploit supply, on this case, was not constrained by any geolocation standards.
Additional evaluation of the risk actor’s infrastructure led to the invention of a debug model of the exploit package, together with varied samples protecting 5 full iOS exploit chains. A complete of 23 exploits protecting variations from iOS 13 to iOS 17.2.1 have been recognized.
A number of the CVEs exploited by the package and the corresponding iOS variations they focused are listed beneath –
“Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation,” Google stated. “The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities.”
In December 2023, the Russian authorities claimed the marketing campaign was the work of the U.S. Nationwide Safety Company, accusing it of hacking “several thousand” Apple gadgets belonging to home subscribers and international diplomats as a part of a “reconnaissance operation.”
UNC6691 has been noticed weaponizing the exploit to ship a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that is designed to decode QR codes from pictures and run further modules retrieved from an exterior server, permitting it to exfiltrate cryptocurrency wallets or delicate info from varied apps like Base, Bitget Pockets, Exodus, and MetaMask, amongst others.
“The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond,” GTIG added. “The implant embeds a custom domain generation algorithm (DGA) using the string ‘lazarus’ as a seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as a TLD. The attackers use Google’s public DNS resolver to validate if the domains are active.”
A notable facet of Coruna is that it skips execution on gadgets in Lockdown Mode, or if the consumer is in non-public searching. To counter the risk, iPhone customers are suggested to maintain their gadgets updated, and allow Lockdown Mode for enhanced safety.
