Ethical Hacking News
A new and powerful exploit kit dubbed Coruna (aka CryptoWaters) has been identified, specifically targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. The Coruna exploit kit features five full iOS exploit chains and a total of 23 exploits, making it one of the most significant examples of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations.
The Coruna exploit kit is a powerful new spyware-grade capability that targets Apple iPhone models running iOS versions between 13.0 and 17.2.1. The exploit kit features five full iOS exploit chains and 23 exploits, making it one of the most significant examples of sophisticated spyware capabilities. It's a commercial surveillance operation that has been circulating among threat actors since February 2025, moving to government-backed and financially motivated attackers. Researchers have identified several variants of the Coruna exploit kit, each targeting different iOS versions and exploits various vulnerabilities. The exploit kit skips execution on devices in Lockdown Mode or private browsing, making it a significant threat even for secure users. The Coruna exploit kit is linked to Russian espionage group UNC6353 and has been used to deliver a stager binary codenamed PlasmaLoader. The development marks the first observed mass exploitation against iOS devices, highlighting the growing threat landscape for mobile security.
In a recent development that has sent shockwaves through the cybersecurity community, Google's Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit dubbed Coruna (aka CryptoWaters), specifically targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. The Coruna exploit kit features five full iOS exploit chains and a total of 23 exploits, making it one of the most significant examples of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations.
According to GTIG, the core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks. This level of sophistication makes it challenging for security researchers to analyze and understand the full scope of the Coruna exploit kit.
It's worth noting that the Coruna exploit kit has been circulating among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December. The exact chain of events is not entirely clear, but it's evident that there's an active market for second-hand zero-day exploits, allowing other threat actors to reuse them for their own objectives.
Researchers have identified several variants of the Coruna exploit kit, including Neutron, Dynamo, buffout, jacurutu, IronLoader, Photon, Gallium, Parallax, terrorbird, cassowary, Sparrow, Rocket, and several others. Each variant targets different iOS versions and exploits various vulnerabilities, such as CVE-2020-27932 (versions 13.x), CVE-2020-27950 (versions 13.x), CVE-2021-30952 (versions 13 → 15.1.1), CVE-2022-48503 (versions 15.2 → 15.5), and so on.
One of the most notable aspects of Coruna is that it skips execution on devices in Lockdown Mode, or if the user is in private browsing. This means that even if an iPhone user has enabled Lockdown Mode for enhanced security, the exploit kit can still potentially compromise their device. To counter this threat, security experts recommend keeping devices up to date and enabling Lockdown Mode whenever possible.
The Coruna exploit kit has also been linked to a Russian espionage group named UNC6353, which is suspected of being behind the campaign. Additionally, another threat cluster tracked as UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that's designed to decode QR codes from images and run additional modules retrieved from an external server.
The Coruna exploit kit marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment. This development highlights the growing threat landscape for mobile security and emphasizes the need for users to stay vigilant and keep their devices up to date with the latest security patches.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Coruna-iOS-Exploit-Kit-A-Sophisticated-Threat-to-iPhone-Users-ehn.shtml
https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html
https://www.pcmag.com/news/this-ios-exploit-kit-can-hack-vulnerable-iphones-using-23-different-attacks
https://nvd.nist.gov/vuln/detail/CVE-2020-27932
https://www.cvedetails.com/cve/CVE-2020-27932/
https://nvd.nist.gov/vuln/detail/CVE-2020-27950
https://www.cvedetails.com/cve/CVE-2020-27950/
https://nvd.nist.gov/vuln/detail/CVE-2021-30952
https://www.cvedetails.com/cve/CVE-2021-30952/
https://nvd.nist.gov/vuln/detail/CVE-2022-48503
https://www.cvedetails.com/cve/CVE-2022-48503/
Published: Wed Mar 4 08:59:46 2026 by llama3.2 3B Q4_K_M
