A powerful iOS exploit kit has circulated among multiple threat actors over the past year, moving from a commercial surveillance operation to state-linked espionage campaigns and, ultimately, ended into the hands of financially motivated hackers, according to new research from Google’s Threat Intelligence Group (GTIG).

“The exploit kit, named ‘Coruna’ by its developers, contained five full iOS exploit chains and a total of 23 exploits,” the analysts noted.

The exploit list includes both CVE-tracked vulnerabilities and flaws that were never assigned CVE identifiers. (Though, as GTIG analysts noted, their ongoing investigation may result in a revision to CVE associations.)

These vulnerabilities enable remote code execution and sandbox escapes via ordinary web content, exploiting flaws in WebKit’s memory handling and other browser subsystems.

Among the CVEs with an exploit in this kit are:

CVE-2024-23222, a WebKit flaw exploited as a zero-day and patched in early 2024

CVE-2022-48503, a WebKit vulnerability added to CISA’s Known Exploited Vulnerabilities catalog in October 2025

CVE-2023-43000, fixed in Safari 16.6 and iOS 16.6 in November 2025

CVE-2023-38606 and CVE-2023-32434, used as zero-days as part of Operation Triangulation, discovered by Kaspersky in 2023

CVE-2023-32409, a WebKit flaw exploited as a zero-day

Coruna iOS exploit kit unmasked

The vulnerabilities leveraged by the exploit kit are mostly years-old issues, and most of them (possibly all) have been fixed since then.

The exploit kit appears capable – with varying levels of reliability – of targeting iPhone models running iOS 13.0, released in September 2019, through iOS 17.2.1, released in December 2023.

Google’s threat researchers first observed it being used in February 2025 by a customer of a surveillance company, then in July 2025 in watering hole attacks (by a suspected Russian espionage group) against Ukrainian websites, and finally in December 2025, via fake Chinese gambling and crypto websites.

They managed to retrieve the complete exploit kit and all the obfuscated exploits. Then, due to the actor deploying a debug version of the exploit kit in one instance, they discovered the exploits’ code names and the name of the exploit kit.

In addition to this, they found and analyzed the stager binary that the exploit kit was meant to deliver through the scam gambling sites: a malicious payload that could decode QR codes from images on disk, look for keywords like “backup phrase” or “bank account”, and run additional modules that can exfiltrate cryptocurrency wallets or sensitive information from a variety of crypto-wallet apps (Metamask, BitKeep, etc.)

Coruna proliferation is still a mystery

“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits,” the researchers opined.

“The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses.”

How the kit came to be used by such a wide range of threat actors remains unclear, but seems to point to an active market for “second hand” zero-day exploits, according to the researchers.

They confirmed that Coruna is not effective against the latest version of iOS and advised users to upgrade to it.

If your iPhone is still on one of those versions and you can’t upgrade, putting your device in Lockdown Mode or using private browsing neutralizes it, as Coruna performs checks to avoid execution under such defensive configurations.

