Coruna Spy-Grade iOS Exploit Kit Proliferates From Surveillance to Espionage and Financial Crime
Google’s Threat Intelligence Group (GTIG) reported on Coruna, a commercial/spy-grade iOS exploit kit that has circulated among multiple threat actors and shifted use cases over time—from a surveillance customer to suspected state-linked watering-hole activity and later to financially motivated abuse. GTIG assessed Coruna includes five full iOS exploit chains comprising 23 exploits, mixing CVE-tracked vulnerabilities with additional flaws that were not assigned CVEs (with CVE mapping potentially subject to revision as analysis continues). The exploit chains target iOS via ordinary web content, leveraging WebKit memory-corruption and related browser subsystem weaknesses to achieve capabilities such as remote code execution and sandbox escape.
Reporting highlighted that Coruna’s exploit set largely relies on older issues that are likely patched on current devices, but the kit was assessed as capable (with varying reliability) of targeting iPhone models across a wide range of versions, from iOS 13.0 through iOS 17.2.1. Publicly referenced CVEs associated with Coruna include CVE-2024-23222, CVE-2022-48503 (later added to CISA’s KEV), CVE-2023-43000, and multiple WebKit/privilege escalation bugs used as zero-days in prior campaigns (e.g., CVE-2023-38606, CVE-2023-32434, CVE-2023-32409). Mandiant/Google also published a set of URLs observed delivering Coruna landing pages (e.g., paths like /group.html and /static/analytics.html across numerous domains), intended to support detection and threat hunting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Kaspersky links Coruna kernel exploit to updated Operation Triangulation code
Kaspersky reported that Coruna’s kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the exploit used in Operation Triangulation. The company also identified four additional kernel exploits and said Coruna is a unified modular exploitation framework rather than a loose collection of exploits.
Apple backports Coruna-related fixes to older iPhones and iPads
Apple released iOS/iPadOS 15.8.7 and 16.7.15 for older devices, backporting fixes for multiple vulnerabilities associated with Coruna, including CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010. The update extended protections to devices that cannot run the latest iOS versions.
Reports allege Coruna likely originated with L3Harris Trenchant
TechCrunch reported that multiple sources and former employees linked Coruna to L3Harris's Trenchant division, suggesting the toolkit was originally developed for a U.S. government or allied intelligence customer. The reporting also pointed to former Trenchant manager Peter Williams as a possible leakage path through sales to Russian exploit broker Operation Zero.
Four Coruna DGA domains placed on serverHold in likely coordinated takedown
On 2026-03-05, four of five known PLASMAGRID/Coruna DGA command-and-control domains were placed on serverHold, disrupting part of the kit's infrastructure. Breakglass assessed the timing alongside CISA's KEV action as evidence of a coordinated takedown, while one primary domain remained active and may have been left for monitoring.
Validin links Coruna infrastructure to new Iran war-themed lure sites
Validin reported additional suspected Coruna/PLASMAGRID infrastructure, including more than 200 similar delivery domains seen in the prior week and 27 hosts still serving malicious iframe content. The analysis connected known Coruna indicators to newly registered Iran-themed lure domains, suggesting ongoing reuse.
CISA adds three Coruna-linked Apple flaws to KEV
CISA added CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 to its Known Exploited Vulnerabilities catalog after reporting tied them to Coruna exploitation. The agency ordered U.S. federal civilian agencies to remediate by March 26, 2026.
Kaspersky disputes claims Coruna was built by Operation Triangulation authors
Kaspersky publicly rejected suggestions that Coruna was developed by the same authors behind the 2023 Operation Triangulation campaign. The company said overlap in exploited CVEs was not enough to support attribution or code-reuse claims.
Google and iVerify publish Coruna technical findings and IOCs
On March 3, 2026, Google Threat Intelligence Group and iVerify publicly disclosed Coruna, describing five iOS exploit chains with 23 exploits and releasing technical indicators and detection guidance. Google also said it added identified domains to Safe Browsing.
China-linked actor deploys Coruna in fake crypto and gambling sites
By December 2025, Google linked Coruna to UNC6691, a financially motivated China-based actor using fake Chinese gambling and cryptocurrency sites to infect victims. The campaign delivered wallet-stealing malware aimed at cryptocurrency theft.
Russian espionage group uses Coruna against Ukrainian websites
In July 2025, Google observed suspected Russian espionage actor UNC6353 using Coruna in watering-hole attacks via compromised Ukrainian websites. The activity targeted iPhone users through hidden iframe-based exploit delivery.
Google first observes Coruna in a surveillance-linked campaign
Google Threat Intelligence Group first saw parts of the Coruna framework in February 2025 during a highly targeted intrusion attributed to a customer of a commercial surveillance vendor. This marks the earliest reported operational use of the exploit kit.
Apple fixes CVE-2024-23222 in iOS 17.3
Apple patched CVE-2024-23222 in iOS 17.3, a JavaScriptCore/WebKit-related issue later reported as part of Coruna's exploit arsenal. Google later said Coruna was ineffective against the latest iOS releases.
Apple fixes CVE-2023-43010 in iOS 17.2
Apple originally shipped a fix for WebKit flaw CVE-2023-43010 in iOS 17.2, later identified as one of the vulnerabilities used in Coruna exploit chains. This established that at least part of the toolkit relied on already-patched bugs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
33 references tracked. Mallory keeps watching after this page renders.
Possible US Government iPhone Hacking Tool Leaked - Schneier on Security
schneier.com
Open sourcePLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceCoruna exploit reveals evolution of Triangulation iOS exploitation framework
securityaffairs.com
Open sourceCoruna iOS Kit Reuses 2023 Triangulation Exploit Code in New Mass Attacks
thehackernews.com
Open sourceKaspersky: No signs Coruna iPhone exploit kit made by US • The Register
go.theregister.com
Open sourceCoruna: The Mysterious Journey of a Powerful iOS Exploit Kit - DataBreaches.Net
databreaches.net
Open sourceCoruna: The Mysterious Journey of a Powerful iOS Exploit Kit | Google Cloud Blog
cloud.google.com
Open sourceCoruna: Spy-grade iOS exploit kit powering financial crime - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Coruna iPhone Exploit Kit Linked to Russian Espionage and Criminal Use
Researchers reported that the **Coruna** iOS exploitation framework contains full exploit chains and roughly **23 exploits** targeting iPhones running **iOS 13 through 17.2/17.2.1**, and that it has been used by multiple threat actors, including **UNC6353**, a suspected Russian espionage group conducting watering-hole attacks against Ukrainian users, and **UNC6691**, a financially motivated China-based actor. The toolkit, also referred to as **CryptoWaters**, has been described as a rare case of **nation-state-grade iPhone exploitation** appearing in broader criminal operations, with post-exploitation activity including the **PLASMAGRID** payload and persistence through a process identified as `com.apple.assistd` that injects into the `powerd` daemon running as root. Reporting also highlighted competing views on the toolkit's origin. One account said evidence suggests parts of Coruna may have originated from **Trenchant**, a hacking and surveillance division of **L3Harris**, and later leaked into the wider ecosystem, ultimately reaching foreign intelligence services and cybercriminals. However, technical threat research noted that the **definitive origin remains unconfirmed**, even as analysts observed reuse of vulnerabilities associated with **Operation Triangulation** and CISA added **`CVE-2023-41974`** to the **Known Exploited Vulnerabilities** catalog after Google's publication. The story is substantive threat intelligence, not fluff, because it concerns an active exploit framework, real-world exploitation, and possible proliferation of advanced offensive capabilities.
Mar 27, 2026
Coruna iOS Exploit Kit Used Broad Fake-Branded Delivery Infrastructure
Google-owned Mandiant disclosed infrastructure tied to **Coruna**, an iOS exploit kit delivered through a large network of disposable domains and subdomains. The identified URLs used both HTTP and HTTPS and followed recurring path patterns such as `/group.html`, `/tuiliu/group.html`, `/static/analytics.html`, and `/88k4ez/group.html`, indicating coordinated staging, traffic routing, or payload delivery across the operation. The delivery network included cryptocurrency-themed, gaming-themed, app-store-themed, and typo-squatted domains designed to imitate legitimate brands or attract victims with lures related to digital assets and mobile apps. The breadth and branding of the infrastructure suggest a flexible campaign architecture built to rotate domains quickly, mask exploit delivery, and support continued distribution of the Coruna iOS exploit kit.
May 25, 2026
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
Mar 21, 2026