MalwareExploits 13 CVEs

CryptoWaters

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

13 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

13 CVES

CVE-2023-43010Memory corruption in Apple WebKit via malicious web contentExploited in the wild

"iVerify, which is tracking the malware framework that uses the exploit kit under the name CryptoWaters, said it has similarities to previous frameworks developed by threat actors affiliated with the U.S. government" | Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit. The vulnerability, tracked as CVE-2023-43010, relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content.

via the hacker newsthehackernews.com

CVE-2023-32434Kernel privilege escalation via integer overflow in Apple iOS/watchOS/macOS

via the hacker newsthehackernews.com

CVE-2023-43000WebKit Use-After-Free in Apple Safari, iOS, iPadOS, and macOS

via the hacker newsthehackernews.com

CVE-2024-23222WebKit Type Confusion Remote Code Execution

via the hacker newsthehackernews.com

CVE-2023-41974Parallax kernel use-after-free in Apple iOS and iPadOS

via the hacker newsthehackernews.com

CVE-2023-38606Apple kernel sensitive state modification / PPL bypass in iOS and macOS

via the hacker newsthehackernews.com

CVE-2020-27950Kernel memory disclosure in Apple iOS/macOS/watchOSExploited in the wild

Dynamo CVE-2020-27950 PE (infoleak)

via security affairssecurityaffairs.com

CVE-2024-23296Apple RTKit kernel memory protection bypassExploited in the wild

Rocket CVE-2024-23296 PPL Bypass

via security affairssecurityaffairs.com

CVE-2020-27932Neutron kernel type confusion privilege escalation in Apple iOS/macOS/watchOSExploited in the wild

Neutron CVE-2020-27932 PE

via security affairssecurityaffairs.com

CVE-2021-30952Apple Multiple Products Integer Overflow or Wraparound VulnerabilityExploited in the wild

Codename CVE Type buffout CVE-2021-30952 WebContent R/W

via security affairssecurityaffairs.com

CVE-2022-48503Arbitrary Code Execution in Apple WebKit/JavaScriptCore Web Content ProcessingExploited in the wild

jacurutu CVE-2022-48503 WebContent R/W

via security affairssecurityaffairs.com

CVE-2024-23225Apple kernel memory protections bypass in iOS/iPadOS/macOS/tvOS/watchOS/visionOSExploited in the wild

Sparrow CVE-2024-23225 PPL Bypass

via security affairssecurityaffairs.com

CVE-2023-32409Apple WebContent Sandbox EscapeExploited in the wild

IronLoader CVE-2023-32409 WebContent sandbox escape

via security affairssecurityaffairs.com

MITRE ATT&CK

Techniques & procedures

24 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

2 techniques

T1592Gather Victim Host InformationEvidence1

The framework is designed to fingerprint the device to determine if it's real and gather details, including the specific iPhone model and iOS software version it is running.

T1598Phishing for InformationEvidence1

"Phase 1: target fingerprinting... checks the User-Agent... distinguishes iOS from macOS... IndexedDB Blob insertion test... WebAssembly memory oracle... iOS version extracted... exploit paths selected"

Initial Access

3 techniques

T1189Drive-by CompromiseEvidence6

GTIG tracked the use of the exploit in highly targeted attacks by a surveillance vendor’s customer, in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691

T1190Exploit Public-Facing ApplicationEvidence2

The Coruna exploit kit, also called CryptoWaters, targets iOS 13.0 through 17.2.1 and includes 23 separate exploits and five exploit chains, affecting Web content, WebKit, and system protections like PAC and PPL.

T1195.002Compromise Software Supply ChainEvidence1

"Compromised third-party scripts... A supply chain compromise of any one of them... could have turned every site using that script into a Coruna delivery node... Ad networks... a single malicious creative served through a programmatic ad network"

Execution

3 techniques

T1059.007JavaScriptEvidence2

It uses a custom JavaScript framework and loaders to deliver tailored exploits.

T1203Exploitation for Client ExecutionEvidence4

The Coruna exploit chain starts with a Safari-based stager that identifies the target device and selects suitable exploits based on browser version.

T1204User ExecutionEvidence1

"Many of these sites explicitly instruct users to visit from a mobile device for a 'better experience,' a social engineering nudge"

Privilege Escalation

3 techniques

T1055Process InjectionEvidence1

"heap spraying with 16-element arrays... allocates 40 MB... fills JIT memory with predictable patterns using a JIT spray of repeated x += 1 statements"

T1068Exploitation for Privilege EscalationEvidence6

Researchers analyzed five kernel exploits in Coruna and found one is an updated version of the exploit used in Operation Triangulation.

T1611Escape to HostEvidence1

The exploit chain goes through six stages ... Escape the Safari browser sandbox ...

Stealth

7 techniques

T1014RootkitEvidence1

"Phase 3: defeating ASLR via dyld shared cache scanning... locates WebCore... reads __TEXT segment headers... determine their load addresses"

T1027Obfuscated Files or InformationEvidence4

Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information, using encrypted communications and a custom domain generation algorithm seeded with "lazarus."

T1055Process InjectionEvidence1

"heap spraying with 16-element arrays... allocates 40 MB... fills JIT memory with predictable patterns using a JIT spray of repeated x += 1 statements"

T1070Indicator RemovalEvidence1

It removes traces of the attack, selects a target process, injects a stager, and executes it to deploy the final malware.

T1140Deobfuscate/Decode Files or InformationEvidence1

The payload then decrypts and processes multiple layers of data using ChaCha20 and LZMA compression, revealing structured containers that store files and instructions.

T1497Virtualization/Sandbox EvasionEvidence2

"Anti-analysis checks... aborts if Lockdown Mode is detected... skips execution in private browsing... verifies a real WebKit rendering engine... checks for RTCPeerConnection... reports... 1003 means a sandbox was detected"

T1620Reflective Code LoadingEvidence2

The launcher handles post-exploitation tasks. Instead of re-running the exploit, it reuses existing kernel access created earlier to read and write memory. It removes traces of the attack, selects a target process, injects a stager, and executes it to deploy the final malware.

Discovery

2 techniques

T1082System Information DiscoveryEvidence2

“The framework uses fingerprinting to detect device type and iOS version, then loads the appropriate WebKit RCE exploit...”

T1497Virtualization/Sandbox EvasionEvidence2

Collection

1 technique

T1005Data from Local SystemEvidence2

Its final payload PlasmaLoader targets banking data, cryptocurrency wallets, and other sensitive information

Command and Control

4 techniques

T1071.001Web ProtocolsEvidence2

"reports the outcome to the C2 via a GET request to <base_url>?e=<code>"

T1105Ingress Tool TransferEvidence3

UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that's designed to decode QR codes from images and run additional modules retrieved from an external server.

T1568Dynamic ResolutionEvidence1

T1568.002Domain Generation AlgorithmsEvidence2

"The C2 domains (the 27 DGA-generated .xyz domains)... short-lived, algorithmically generated fallback domains"

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

“...If such text is found in Apple Memos it will be sent back to the C2.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

72 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

60 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

12 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Mar 12, 2026

Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit

A malware framework observed using the Coruna exploit kit to compromise iOS devices; reported by iVerify and noted as similar to prior frameworks linked to U.S.-government-affiliated threat actors.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching72

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities13

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping24

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.