Ethical Hacking News
Google has uncovered a powerful new iOS exploit kit called Coruna that targets Apple iPhones running iOS 13–17.2.1 versions, but not the latest iOS release. The Coruna Exploit Kit includes five full exploit chains and 23 exploits, making it one of the most comprehensive and sophisticated iOS exploits ever discovered.
The Coruna iOS Exploit Kit targets Apple iPhones running iOS 13 through 17.2.1 versions. The exploit kit includes five full exploit chains and 23 exploits, making it one of the most comprehensive and sophisticated iOS exploits ever discovered. The framework uses shared utilities and custom loaders to avoid detection on devices in Lockdown Mode or private browsing. The payload is designed to evade detection by traditional antivirus software and sandbox escape techniques, allowing it to execute with elevated privileges. The exploit kit can inject a financially focused payload into root daemons on compromised devices, analyzing text for BIP39 word sequences or specific keywords. The Coruna Exploit Kit demonstrates advanced ability to collect and run additional modules remotely, with configuration retrieved from a command-and-control server.
Google has recently uncovered a powerful and highly engineered exploit kit specifically designed to target iPhones running iOS 13 through 17.2.1 versions. The exploit kit, known as Coruna (also referred to as CryptoWaters), poses a significant threat to the security of Apple devices, highlighting the ongoing cat-and-mouse game between hackers and cybersecurity experts.
The Coruna exploit kit was identified by Google's Threat Intelligence Group (GTIG) in February 2025, which initially captured parts of an iOS exploit chain used by a customer of a surveillance company. This discovery marked the beginning of a comprehensive investigation into the threat posed by the Coruna exploit kit. GTIG's findings revealed that the kit includes five full exploit chains and a total of 23 exploits, making it one of the most comprehensive and sophisticated iOS exploits ever discovered.
At the heart of the Coruna exploit kit lies a highly engineered framework that links all components through shared utilities and custom loaders. This framework is designed to avoid devices in Lockdown Mode or private browsing, deriving resource URLs from a hard-coded cookie. The kit also delivers WebKit RCE (Remote Code Execution) exploits and PAC (Platform Application Composition) bypasses in clear form.
After exploitation, the Coruna exploit kit deploys an encrypted, compressed payload disguised as .min.js files, tailored to specific chips and iOS versions. This payload is designed to evade detection by traditional antivirus software and sandbox escape techniques, allowing it to execute with elevated privileges on compromised devices.
The Coruna exploit kit relies on a range of sophisticated exploits, including Photon, Gallium, Seedbell, Breezy15, and NeuronLoader, among others. These exploits are designed to bypass various mitigations preventing allocation of RWX memory pages in userland, as well as kernel-mode PAC bypasses.
One of the most notable features of the Coruna exploit kit is its ability to inject a financially focused payload into root daemons on compromised devices. This payload can decode QR codes from images on disk and analyze blobs of text to look for BIP39 word sequences or specific keywords like "backup phrase" or "bank account." If such text is found in Apple Memos, the payload will send it back to a command-and-control server.
The Coruna exploit kit also demonstrates an advanced ability to collect and run additional modules remotely, with configuration retrieved from /details/show.html. This allows the attackers to adapt their attacks based on the capabilities of the compromised device.
In summary, the Coruna iOS Exploit Kit represents a significant threat to iPhone users due to its comprehensive collection of exploits, sophisticated framework, and ability to evade detection by traditional security software.
Google has uncovered a powerful new iOS exploit kit called Coruna that targets Apple iPhones running iOS 13–17.2.1 versions, but not the latest iOS release. The Coruna Exploit Kit includes five full exploit chains and 23 exploits, making it one of the most comprehensive and sophisticated iOS exploits ever discovered.
Related Information:
https://www.ethicalhackingnews.com/articles/Coruna-iOS-Exploit-Kit-A-Comprehensive-Analysis-of-the-Latest-Threat-to-iPhone-Users-ehn.shtml
https://securityaffairs.com/188928/security/google-uncovers-coruna-ios-exploit-kit-targeting-ios-13-17-2-1.html
Published: Thu Mar 5 03:54:31 2026 by llama3.2 3B Q4_K_M
