Introduction to the Coruna Exploit Kit
Google’s security team has uncovered a formidable exploit kit known as Coruna, which specifically targets Apple iPhones operating on iOS versions 13 to 17.2.1. The kit comprises five comprehensive exploit chains and a total of 23 exploits, as disclosed by the Google Threat Intelligence Group (GTIG). Notably, the latest iOS versions are immune to these exploits, with the initial report emerging from WIRED.
According to GTIG, Coruna’s strength lies in its extensive array of iOS exploits, many of which leverage non-public techniques and mitigation bypasses. The engineering behind this exploit framework is sophisticated, seamlessly integrating various exploit elements through common utility and exploitation frameworks.
Evolution and Distribution of Coruna
Since its debut in February 2025, the Coruna exploit kit has circulated among diverse threat actors. Initially utilized in commercial surveillance, it has transitioned to a government-sponsored attacker and ultimately to a financially driven threat actor based in China by December. The exact mechanism of its transfer remains unknown, highlighting an active market for second-hand zero-day exploits.
iVerify has drawn parallels between Coruna and previous frameworks tied to U.S. government-affiliated threat actors. The proliferation of such sophisticated spyware-grade capabilities from commercial vendors to nation-state actors and widespread criminal operations is a significant concern, according to iVerify.
Technical Insights and Exploitation Techniques
Google first encountered fragments of an iOS exploit chain used by an unnamed surveillance firm early last year. This discovery revealed a novel JavaScript framework designed to fingerprint devices, identify specific iPhone models, and ascertain iOS version details. Based on this information, the framework deploys the suitable WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC) bypass.
One key vulnerability involved is CVE-2024-23222, a type confusion bug in WebKit, which Apple addressed in January 2024. The framework appeared again in July 2025, observed on the domain ‘cdn.uacounter[.]com,’ embedded as a hidden iFrame on compromised Ukrainian websites. These sites, spanning industries like retail and e-commerce, were targeted by a suspected Russian espionage group, UNC6353.
Recent Developments and Security Measures
In December 2025, the Coruna exploit kit resurfaced through a cluster of fake Chinese websites, prompting users to access them via iOS devices. This activity, attributed to UNC6691, led to the discovery of a debug version of the kit and samples revealing five full iOS exploit chains targeting versions from iOS 13 to iOS 17.2.1.
The Russian government has accused the U.S. National Security Agency of utilizing this campaign to compromise thousands of Apple devices for reconnaissance purposes. Meanwhile, UNC6691 has exploited the kit to deploy a stager binary named PlasmaLoader, capable of extracting sensitive information from applications like cryptocurrency wallets.
In response to the Coruna threat, iPhone users are strongly advised to update their devices regularly and enable Lockdown Mode for enhanced protection against potential exploits.
