Threat Intelligence Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit March 3, 2026 Google Threat Intelligence Group Google Threat Intelligence Visibility and context on the threats that matter most. Contact Us & Get a Demo Introduction Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023) . The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. The Coruna exploit kit provides another example of how sophisticated capabilities proliferate . Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor , then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. We then retrieved the complete exploit kit when it was later used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China. How this proliferation occurred is unclear, but suggests an active market for "second hand" zero-day exploits. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities. Following our disclosure policy , we are sharing our research to raise awareness and advance security across the industry. We have also added all identified websites and domains to Safe Browsing to safeguard users from further exploitation. The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security. Discovery Timeline Figure 1: Coruna iOS exploit kit timeline Initial Discovery: The Commercial Surveillance Vendor Role In February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company. The exploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript obfuscation techniques. [16, 22, 0, 69, 22, 17, 23, 12, 6, 17].map(x => {return String.fromCharCode(x ^ 101);}).join("") i.p1=(1111970405 ^ 1111966034); The JavaScript framework used these constructs to encode strings and integers The framework starts a fingerprinting module collecting a variety of data points to determine if the device is real and what specific iPhone model and iOS software version it is running. Based on the collected data, it loads the appropriate WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC) bypass as seen in Figure 2 from the deobfuscated JavaScript. Figure 2: Deobfuscated JavaScript of the Coruna exploit kit At that time, we recovered the WebKit RCE delivered to a device running iOS 17.2 and determined it was CVE-2024-23222, a vulnerability previously identified as a zero-day that was addressed by Apple on Jan. 22, 2024 in iOS 17.3 without crediting any external researchers. Figure 3 shows the beginning of the RCE exploit exactly how it was delivered in-the-wild with our annotations. Figure 3: How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild Government-Backed Attacker Usage In summer 2025, we noticed the same JavaScript framework hosted on cdn.uacounter[.]com, a website loaded as a hidden iFrame on many compromised Ukrainian websites, ranging from industrial equipment and retail tools to local services and ecommerce websites. The framework was only delivered to selected iPhone users from a specific geolocation. The framework was identical and delivered the same set of exploits. We collected WebKit RCEs, which included CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, before the server was shut down. We alerted and worked with CERT-UA to clean up all compromised websites. Full Exploit Chain Collection From Chinese Scam Websites At the end of the year, we identified the JavaScript framework on a very large set of fake Chinese websites mostly related to finance, dropping the exact same iOS exploit kit. The websites tried to convince users to visit the websites with iOS devices, as seen in Figure 4, taken from a fake WEEX crypto exchange website. Figure 4: Pop-up on a fake cryptocurrency exchange website trying to drive users to the exploits Upon accessing these websites via an iOS device and regardless of their geolocation, a hidden iFrame is injected, delivering the exploit kit. As an example, Figure 5 shows the same CVE-2024-23222 exploit as it was found on 3v5w1km5gv[.]xyz. Figure 5: Screenshot of CVE-2024-23222 exploit recovered from a scam site We retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total, we collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target various iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). In the subsequent sections, we will provide a quick description of the framework, a breakdown of the exploit chains, and the associated implants we have captured. Our analysis of the collected data is ongoing, and we anticipate publishing additional technical specifications via new blog entries or root cause analyses (RCAs). The Coruna Exploit Kit The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks. The kit performs the following unique actions: Bailing out if the device is in Lockdown Mode, or the user is in private browsing. A unique and hard-coded cookie is used along the way to generate resource URLs. Resources are referred to by a hash, which needs to be derived with the unique cookie using sha256(COOKIE + ID)[:40] to get their URL. RCE and PAC bypasses are delivered unencrypted. The kit contains a binary loader to load the appropriate exploit chain post RCE within WebKit. In this case, binary payloads: Have unique metadata indicating what they really are, what chips and iOS versions they support. Are served from URLs that end with .min.js. Are encrypted using ChaCha20 with a unique key per blob. Are packaged in a custom file format starting with 0xf00dbeef as header. Are compressed with the Lempel–Ziv–Welch (LZW) algorithm. Figure 6 shows what an infection of an iPhone XR running iOS 15.8.5 looks like from a networking point of view, with our annotation of the different parts when browsing one of these fake financial websites. Figure 6: Coruna exploit chain delivered on iOS 15.8.5 The Exploits and Their Code Names The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits. The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses. The following table provides a summary of our ongoing analysis regarding the various exploit chains; however, as the full investigation is still in progress, certain CVE associations may be subject to revision. There are in total 23 exploits covering versions from iOS 13 to iOS 17.2.1. Type Codename Targeted versions (inclusive) Fixed version CVE WebContent R/W buffout 13 → 15.1.1 15.2 CVE-2021-30952 WebContent R/W jacurutu 15.2 → 15.5 15.6 CVE-2022-48503 WebContent R/W bluebird 15.6 → 16.1.2 16.2 No CVE WebContent R/W terrorbird 16.2 → 16.5.1 16.6 CVE-2023-43000 WebContent R/W cassowary 16.6 → 17.2.1 16.7.5, 17.3 CVE-2024-23222 WebContent PAC bypass breezy 13 → 14.x ? No CVE WebContent PAC bypass breezy15 15 → 16.2 ? No CVE WebContent PAC bypass seedbell 16.3 → 16.5.1 ? No CVE WebContent PAC bypass seedbell_16_6 16.6 → 16.7.12 ? No CVE WebContent PAC bypass seedbell_17 17 → 17.2.1 ? No CVE WebContent sandbox escape IronLoader 16.0 → 16.3.1 16.4.0 (<= A12) 15.7.8, 16.5 CVE-2023-32409 WebContent sandbox escape NeuronLoader 16.4.0 → 16.6.1 (A13-A16) 17.0 No CVE PE Neutron 13.X 14.2 CVE-2020-27932 PE (infoleak) Dynamo 13.X 14.2 CVE-2020-27950 PE Pendulum 14 → 14.4.x 14.7 No CVE PE Photon 14.5 → 15.7.6 15.7.7, 16.5.1 CVE-2023-32434 PE Parallax 16.4 → 16.7 17.0 CVE-2023-41974 PE Gruber 15.2 → 17.2.1 16.7.6, 17.3 No CVE PPL Bypass Quark 13.X 14.5 No CVE PPL Bypass Gallium 14.x 15.7.8, 16.6 CVE-2023-38606 PPL Bypass Carbone 15.0 → 16.7.6 17.0 No CVE PPL Bypass Sparrow 17.0 → 17.3 16.7.6 , 17.4 CVE-2024-23225 PPL Bypass Rocket 17.1 → 17.4 16.7.8, 17.5 CVE-2024-23296 Table 1: Table with mapping CVE to code names Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation , discovered by Kaspersky in 2023. The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities. For example, there is a module called rwx_allocator using multiple techniques to bypass various mitigations preventing allocation of RWX memory pages in userland. The kernel exploits are also embedding various internal modules allowing them to bypass kernel-based mitigations such as kernel-mode PAC. The Ending Payload At the end of the exploitation chain, a stager binary called PlasmaLoader (tracked by GTIG as PLASMAGRID), using com.apple.assistd as an identifier, facilitates