Coruna iPhone Exploit Kit Linked to Russian Espionage and Criminal Use
Researchers reported that the Coruna iOS exploitation framework contains full exploit chains and roughly 23 exploits targeting iPhones running iOS 13 through 17.2/17.2.1, and that it has been used by multiple threat actors, including UNC6353, a suspected Russian espionage group conducting watering-hole attacks against Ukrainian users, and UNC6691, a financially motivated China-based actor. The toolkit, also referred to as CryptoWaters, has been described as a rare case of nation-state-grade iPhone exploitation appearing in broader criminal operations, with post-exploitation activity including the PLASMAGRID payload and persistence through a process identified as com.apple.assistd that injects into the powerd daemon running as root.
Reporting also highlighted competing views on the toolkit's origin. One account said evidence suggests parts of Coruna may have originated from Trenchant, a hacking and surveillance division of L3Harris, and later leaked into the wider ecosystem, ultimately reaching foreign intelligence services and cybercriminals. However, technical threat research noted that the definitive origin remains unconfirmed, even as analysts observed reuse of vulnerabilities associated with Operation Triangulation and CISA added CVE-2023-41974 to the Known Exploited Vulnerabilities catalog after Google's publication. The story is substantive threat intelligence, not fluff, because it concerns an active exploit framework, real-world exploitation, and possible proliferation of advanced offensive capabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly detail the Coruna iOS exploit framework
Public reporting described Coruna as a sophisticated iPhone exploitation toolkit with more than 20 exploits and full exploit chains affecting iOS 13 through 17.2.1. The analysis also highlighted reuse across espionage and criminal ecosystems and possible links to L3Harris's Trenchant unit through previously stolen tools.
CISA adds CVE-2023-41974 to Known Exploited Vulnerabilities catalog
CISA added CVE-2023-41974, a kernel use-after-free vulnerability used in the Coruna exploit chain, to its Known Exploited Vulnerabilities catalog. The action highlighted active exploitation risk and the need for urgent patching.
UNC6691 deploys Coruna in fake crypto and finance campaigns
A China-based financially motivated actor tracked as UNC6691 used Coruna one-click Safari exploit chains on fake finance and cryptocurrency sites to mass-exploit iPhone users. The campaign delivered the PLASMAGRID payload to steal wallet data, seed phrases, photos, emails, and Apple Notes content.
Russian-linked UNC6353 targets Ukrainian users with Coruna exploits
Researchers assessed that UNC6353, a suspected Russian espionage group, used the Coruna iOS exploit framework in operations targeting Ukrainian victims, including via compromised websites. The toolkit was used against iPhones running vulnerable iOS versions from 13 through 17.2.
Operation Triangulation uses related iPhone vulnerabilities against Russian users
Google researchers linked two vulnerabilities later associated with the Coruna toolkit to the Operation Triangulation iPhone hacking campaign targeting users in Russia. This establishes earlier reuse of some of the same exploit components in a separate espionage operation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Coruna, DarkSword & Democratizing Nation-State Exploit Kits
darkreading.com
Open sourceUS Military Contractor Likely Built iPhone Hacking Tools Used By Russian Spies in Ukraine
vulnu.com
Open sourceCoruna iOS Exploit Kit: Observed Traffic Across… | Centripetal
centripetal.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Coruna Spy-Grade iOS Exploit Kit Proliferates From Surveillance to Espionage and Financial Crime
Google’s Threat Intelligence Group (GTIG) reported on **Coruna**, a commercial/spy-grade iOS exploit kit that has circulated among multiple threat actors and shifted use cases over time—from a surveillance customer to suspected state-linked watering-hole activity and later to financially motivated abuse. GTIG assessed Coruna includes **five full iOS exploit chains** comprising **23 exploits**, mixing CVE-tracked vulnerabilities with additional flaws that were not assigned CVEs (with CVE mapping potentially subject to revision as analysis continues). The exploit chains target iOS via ordinary web content, leveraging **WebKit memory-corruption** and related browser subsystem weaknesses to achieve capabilities such as **remote code execution** and **sandbox escape**. Reporting highlighted that Coruna’s exploit set largely relies on older issues that are likely patched on current devices, but the kit was assessed as capable (with varying reliability) of targeting iPhone models across a wide range of versions, from **iOS 13.0 through iOS 17.2.1**. Publicly referenced CVEs associated with Coruna include **CVE-2024-23222**, **CVE-2022-48503** (later added to CISA’s KEV), **CVE-2023-43000**, and multiple WebKit/privilege escalation bugs used as zero-days in prior campaigns (e.g., **CVE-2023-38606**, **CVE-2023-32434**, **CVE-2023-32409**). Mandiant/Google also published a set of **URLs observed delivering Coruna** landing pages (e.g., paths like `/group.html` and `/static/analytics.html` across numerous domains), intended to support detection and threat hunting.
Apr 25, 2026
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
Mar 21, 2026
DarkSword iOS Exploit Chain Used in Watering-Hole Attacks Against Ukrainians
Researchers from **Google**, **iVerify**, and **Lookout** disclosed **DarkSword**, a sophisticated iPhone exploit chain used in compromised websites to silently infect visitors, with observed targeting focused on **Ukraine** and additional activity tied to **Saudi Arabia, Turkey, and Malaysia**. The campaign is linked to suspected Russian operators, including activity tracked as **UNC6353**, and appears to support both **espionage** and **financial theft**, including the theft of saved passwords, text messages, and cryptocurrency wallet data. Reporting also indicates DarkSword is the second major iOS exploit kit recently found in the wild after **Coruna**, reinforcing concerns that advanced mobile exploitation is becoming more broadly operationalized rather than reserved for narrowly targeted, bespoke use. Technical analysis shows DarkSword used multiple chained vulnerabilities to achieve full device compromise on older iOS versions, including JavaScriptCore bugs **`CVE-2025-31277`** and **`CVE-2025-43529`** for remote code execution, **`CVE-2026-20700`** as a `dyld` PAC bypass, and sandbox escapes that pivoted from **WebContent** to the **GPU process** and then to `mediaplaybackd`. The exploit chain relied on first compromising **WebKit** and then abusing **WebGPU/ANGLE**-related paths to escape Safari’s sandbox, and Apple patched the flaws across later iOS releases including **18.6**, **18.7.3**, **26.2**, and **26.3**. Researchers warned that a substantial installed base of devices running **iOS 18 or earlier** remained exposed at the time of disclosure, making DarkSword notable both for its technical sophistication and for the scale of potentially vulnerable iPhones.
Apr 4, 2026