Coruna
Coruna is a highly sophisticated iOS exploit kit / exploitation framework targeting Apple iPhones and iPads running iOS 13.0 through 17.2.1. Reporting cited in the content describes five full exploit chains spanning 23 vulnerabilities, with web-based compromise via malicious or compromised websites, including watering-hole delivery. Researchers state the framework was first observed in targeted attacks by a customer of an unnamed surveillance vendor, and was later used in watering-hole attacks in Ukraine and financially motivated campaigns in China. Multiple reports also describe use by suspected Russian espionage actor UNC6353 and Chinese financially motivated actor UNC6691, and broader proliferation to other actors.
Coruna is modular. The attack chain begins with a Safari-based stager that fingerprints the browser and selects exploits based on browser version. The framework uses encrypted and compressed containers, including ChaCha20 decryption and LZMA-compressed payloads, package identifiers for architecture and firmware targeting, kernel exploits, Mach-O loaders, a launcher module, and an implant. Researchers observed package selection by device architecture, processor generation, and iOS version, and identified components including an implant, loader, launcher configuration, launcher module, kernel exploits, log-cleaning utility, and RPC stager. The launcher reuses kernel objects created by the exploit to read and write kernel memory, cleans exploit artifacts, injects a stager into a target process, establishes persistence, and activates the implant.
The framework exploits previously patched vulnerabilities including CVE-2023-32434 and CVE-2023-38606. Kaspersky reported that Coruna’s kernel exploit for those CVEs is an updated version of the exploit chain previously used in Operation Triangulation, and that Coruna contains four additional kernel exploits not present in that campaign, indicating continued evolution of a unified exploit codebase. Additional reporting in the content states Coruna includes exploit chains named jacurutu, terrorbird, cassowary, seedbell variants, and VariantB, and that web exploitation has used WebKit vulnerabilities including CVE-2024-23222, CVE-2023-43000, and CVE-2022-48503 depending on iOS version, followed by PAC-bypass / ASLR-defeat stages and kernel privilege escalation including CVE-2023-41974.
Coruna has been associated with delivery of the PLASMAGRID implant. Reported post-exploitation behavior includes masquerading as com.apple.assistd, injection into processes such as powerd, locationd, imagent, and SpringBoard, and theft of sensitive data including cryptocurrency wallet seed phrases from multiple apps. The content also states Coruna could support command-and-control over SMS. Observed infrastructure and indicators in the content include watering-hole domains such as utaq[.]cfww[.]shop/gooll/gooll.html, b27[.]icu, and iphonex[.]mjdqw[.]cn; DGA-style .xyz domains including aidm8it5hf1jmtj[.]xyz, uawwydy3qas6ykv[.]xyz, 8fn4957c5g986jp[.]xyz, vvri8ocl4t3k8n6[.]xyz, and rlau616jc7a7f7i[.]xyz; beacon / sync infrastructure at l1ewsu3yjkqeroy[.]xyz; artifact /private/var/mobile/Library/Preferences/com.apple.photolibraryd.plist; launchd error reference com.plasma.springboard.ipc; and HTTP headers sdkv and x-ts.
The content consistently characterizes Coruna as spyware-grade or government-grade tooling that later proliferated beyond its original operators. Several cited reports describe possible links to U.S.-origin development and to L3Harris Trenchant, but those attribution claims are reported allegations rather than established fact. High-confidence reporting in the content supports that Coruna has been used by both espionage and financially motivated actors, targets older unpatched Apple mobile devices through web-based exploitation, and is linked by code similarity to the Operation Triangulation exploitation framework.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
13 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
That domain redirects to the watering hole at utaq[.]cfww[.]shop/gooll/gooll.html, which embeds the Coruna exploit kit delivery framework analyzed in this report.
That domain redirects to the watering hole at utaq[.]cfww[.]shop/gooll/gooll.html, which embeds the Coruna exploit kit delivery framework analyzed in this report.
That domain redirects to the watering hole at utaq[.]cfww[.]shop/gooll/gooll.html, which embeds the Coruna exploit kit delivery framework analyzed in this report.
That domain redirects to the watering hole at utaq[.]cfww[.]shop/gooll/gooll.html, which embeds the Coruna exploit kit delivery framework analyzed in this report.
...анализ которой выявил внутренние имена эксплойтов и авторское название фреймворка — Coruna... В результате исследования выяснилось, что фреймворк эксплуатирует ряд ранее исправленных уязвимостей, в том числе CVE-2023-32434 и CVE-2023-38606.
...анализ которой выявил внутренние имена эксплойтов и авторское название фреймворка — Coruna... В результате исследования выяснилось, что фреймворк эксплуатирует ряд ранее исправленных уязвимостей, в том числе CVE-2023-32434 и CVE-2023-38606.
Coruna is one of those kits. Twenty-three exploits. Five full exploit chains. Coverage from iOS 13.0 through 17.2.1.
Coruna is one of those kits. Twenty-three exploits. Five full exploit chains. Coverage from iOS 13.0 through 17.2.1.
Coruna is one of those kits. Twenty-three exploits. Five full exploit chains. Coverage from iOS 13.0 through 17.2.1.
Coruna is one of those kits. Twenty-three exploits. Five full exploit chains. Coverage from iOS 13.0 through 17.2.1.
Coruna is one of those kits. Twenty-three exploits. Five full exploit chains. Coverage from iOS 13.0 through 17.2.1.
Coruna is one of those kits. Twenty-three exploits. Five full exploit chains. Coverage from iOS 13.0 through 17.2.1.
Last week, the iPhone maker also expanded patches for four security flaws (CVE-2023-43010, CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222) that were weaponized as part of the Coruna exploit kit.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
That domain redirects to the watering hole at utaq[.]cfww[.]shop/gooll/gooll.html, which embeds the Coruna exploit kit delivery framework analyzed in this report.
The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.
"The toolkit, dubbed Coruna, contains multiple exploits capable of surreptitiously compromising Apple devices running older versions of iOS."
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueit immediately begins beaconing the victim's public IP address, iOS version string, and a campaign tracking code to a C2 server
Initial Access
4 techniquesПозднее набор использовался другими злоумышленниками в атаках типа watering hole в Украине, а также в финансово мотивированных кампаниях в Китае.
The content references multiple web URLs 'delivering Coruna exploit kit'.
The art-template npm package... was handed over to an unknown actor... The new controller almost immediately began weaponizing the package... pkg:npm/art-template@4.13.5 and pkg:npm/art-template@4.13.6 both append a browser-side remote-script loader
Clicking a malicious link or visiting a compromised website on an unpatched device could result in data being stolen.
Execution
2 techniquesglobalThis.obChTK = new Function(atob("..."))(); ... e[M] = new Function(N)(); ... All of the following are fetched as JavaScript from utaq[.]cfww[.]shop and eval'd via new Function()
Safari Эксплуатация начинается со стейджера, который собирает цифровой отпечаток браузера, после чего выбирает и запускает соответствующие эксплойты для удаленного выполнения кода (RCE) и обхода механизма проверки указателей (PAC) в зависимости от версии браузера.
Privilege Escalation
2 techniquesМодуль запуска очищает артефакты эксплойтов, извлекает имя процесса для инъекции из файла конфигурации с магическим числом 0xDEADD00F, внедряет стейджер в целевой процесс, использует его для самозапуска, а затем активирует имплант.
В ходе анализа мы обнаружили, что эксплойт для уязвимостей ядра CVE-2023-32434 и CVE-2023-38606, входящий в состав Coruna, фактически является обновленной версией того же самого эксплойта, который применялся в «Операции Триангуляция».
Stealth
7 techniquesThree distinct obfuscation layers are applied... UTF-16 Integer Packer... new Function(atob("..."))() Eval Chain... Per-String XOR Encoding... Integer Constant Obfuscation
Модуль запуска очищает артефакты эксплойтов, извлекает имя процесса для инъекции из файла конфигурации с магическим числом 0xDEADD00F, внедряет стейджер в целевой процесс, использует его для самозапуска, а затем активирует имплант.
Сначала загруженный файл расшифровывается с помощью потокового шифра ChaCha20. На выходе получается контейнер с магическим числом 0xBEDF00D, содержащий сжатые при помощи LZMA данные.
Probe 1 — navigator.webdriver Rejection... unconditional block against all Selenium, Playwright, and Puppeteer-controlled browsers... MathML Color Rendering... IndexedDB Blob Write
explicitly and intentionally rejecting every other browser, OS, and iOS version outside that range... it runs five layers of anti-bot and anti-automation fingerprinting... CPU architecture discrimination
The launcher handles post-exploitation tasks. Instead of re-running the exploit, it reuses existing kernel access created earlier to read and write memory. It removes traces of the attack, selects a target process, injects a stager, and executes it to deploy the final malware.
Discovery
3 techniquesSafari Эксплуатация начинается со стейджера, который собирает цифровой отпечаток браузера, после чего выбирает и запускает соответствующие эксплойты...
Collection
1 techniqueThey infect devices when the user simply visits a compromised legitimate site... and silently exfiltrate messages, calls, location, browser history, Wi-Fi passwords, health data, notes and crypto wallets.
Command and Control
2 techniquesUpon load it immediately begins beaconing the victim's public IP address, iOS version string, and a campaign tracking code to a C2 server... every 10 seconds
После инициализации она загружает файл с информацией о других доступных компонентах... Набор эксплойтов использует этот формат для получения URL-адресов и ключей расшифровки для дополнительных загружаемых компонентов.
Exfiltration
1 techniqueThey infect devices when the user simply visits a compromised legitimate site, use a chain of vulnerabilities to escape the browser sandbox, and silently exfiltrate messages, calls, location, browser history, Wi-Fi passwords, health data, notes and crypto wallets.
Impact
1 techniqueCoruna is devastating... "It could do command-and-control (C2) over SMS, so all you have to do is make one modification to take contacts from the contacts list and blast out text messages with links, and you've got yourself wormable malware,"
IOCs tracked for this family
244 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
63 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An iOS exploit kit delivery framework used in a watering-hole campaign delivered via a compromised npm package. It fingerprints Safari/WebKit on iOS, performs anti-bot checks, beacons device data to C2, selects version-specific payload modules, and appears to stage browser exploits for iOS 11.0 through 17.2 while rejecting 17.3+ and non-target platforms.
Recently leaked exploit kit referenced as part of public exploit chains against modern iOS.
A previously discovered iOS exploit kit referenced as a comparable precursor to DarkSword and previously used by UNC6353.
An iOS spyware exploit chain delivered via compromised legitimate websites that escapes the browser sandbox and silently exfiltrates messages, calls, location, browser history, Wi-Fi passwords, health data, notes and crypto wallets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.