Coruna Spy-Grade iOS Exploit Kit Proliferates From Surveillance to Espionage and Financial Crime
Google’s Threat Intelligence Group (GTIG) reported on Coruna, a commercial/spy-grade iOS exploit kit that has circulated among multiple threat actors and shifted use cases over time—from a surveillance customer to suspected state-linked watering-hole activity and later to financially motivated abuse. GTIG assessed Coruna includes five full iOS exploit chains comprising 23 exploits, mixing CVE-tracked vulnerabilities with additional flaws that were not assigned CVEs (with CVE mapping potentially subject to revision as analysis continues). The exploit chains target iOS via ordinary web content, leveraging WebKit memory-corruption and related browser subsystem weaknesses to achieve capabilities such as remote code execution and sandbox escape.
Reporting highlighted that Coruna’s exploit set largely relies on older issues that are likely patched on current devices, but the kit was assessed as capable (with varying reliability) of targeting iPhone models across a wide range of versions, from iOS 13.0 through iOS 17.2.1. Publicly referenced CVEs associated with Coruna include CVE-2024-23222, CVE-2022-48503 (later added to CISA’s KEV), CVE-2023-43000, and multiple WebKit/privilege escalation bugs used as zero-days in prior campaigns (e.g., CVE-2023-38606, CVE-2023-32434, CVE-2023-32409). Mandiant/Google also published a set of URLs observed delivering Coruna landing pages (e.g., paths like /group.html and /static/analytics.html across numerous domains), intended to support detection and threat hunting.
Related Entities
Vulnerabilities
Threat Actors
Sources
5 more from sources like apple support, cyber security news, techcrunch com security and c side dev blog
Related Stories
Coruna iPhone Exploit Kit Linked to Russian Espionage and Criminal Use
Researchers reported that the **Coruna** iOS exploitation framework contains full exploit chains and roughly **23 exploits** targeting iPhones running **iOS 13 through 17.2/17.2.1**, and that it has been used by multiple threat actors, including **UNC6353**, a suspected Russian espionage group conducting watering-hole attacks against Ukrainian users, and **UNC6691**, a financially motivated China-based actor. The toolkit, also referred to as **CryptoWaters**, has been described as a rare case of **nation-state-grade iPhone exploitation** appearing in broader criminal operations, with post-exploitation activity including the **PLASMAGRID** payload and persistence through a process identified as `com.apple.assistd` that injects into the `powerd` daemon running as root. Reporting also highlighted competing views on the toolkit's origin. One account said evidence suggests parts of Coruna may have originated from **Trenchant**, a hacking and surveillance division of **L3Harris**, and later leaked into the wider ecosystem, ultimately reaching foreign intelligence services and cybercriminals. However, technical threat research noted that the **definitive origin remains unconfirmed**, even as analysts observed reuse of vulnerabilities associated with **Operation Triangulation** and CISA added **`CVE-2023-41974`** to the **Known Exploited Vulnerabilities** catalog after Google's publication. The story is substantive threat intelligence, not fluff, because it concerns an active exploit framework, real-world exploitation, and possible proliferation of advanced offensive capabilities.
Today
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
1 weeks ago
Apple Backports Coruna Exploit Fixes to Older iPhone and iPad Models
Apple released emergency security updates for older devices to block exploitation associated with the **Coruna** exploit chain, backporting fixes previously delivered in newer iOS branches. The updates target legacy hardware that cannot move to the latest operating systems, with reporting indicating **iOS 15.8.7** and *iPadOS 15.8.7* protect devices such as the iPhone 6s, iPhone 7, first-generation iPhone SE, iPad Air 2, iPad mini 4, and iPod touch 7. The attack path described for Coruna combines multiple flaws in the **kernel** and **WebKit**, enabling device compromise through malicious web content and potentially leading to arbitrary code execution with elevated privileges. Apple’s security documentation also confirms a related backport in **iOS 16.7.15** and *iPadOS 16.7.15* for slightly newer but still unsupported models, including iPhone 8, iPhone 8 Plus, iPhone X, and several older iPads. That advisory ties the Coruna exploit to **CVE-2023-43010**, a memory corruption issue triggered by processing crafted web content, and states the fix was originally shipped in **iOS 17.2** before being brought to devices unable to upgrade further. Together, the updates show Apple is extending protections against an actively weaponized exploit chain across multiple older device families rather than limiting remediation to current-generation platforms.
3 days ago