Coruna: The High-Powered iOS Exploit Kit Proliferating Across the Global Threat Landscape
Ddos 
Coruna iOS exploit kit timeline
The Google Threat Intelligence Group (GTIG) has detailed the curtain on “Coruna,” a formidable iOS exploit kit that has transitioned from the hands of commercial surveillance vendors into the arsenals of state-sponsored espionage groups and financially motivated attackers.
First identified targeting iPhone models running iOS 13.0 through 17.2.1, the kit is a masterclass in modern exploitation. As the GTIG report notes, “The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses”.
The timeline of the Coruna kit reveals a disturbing trend of high-end cyber capabilities trickling down to various threat actors. In February 2025, GTIG first captured parts of the chain being used by a customer of a commercial surveillance company. By July 2025, the kit surfaced in “watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group”. Finally, the complete kit was retrieved during broad-scale campaigns by UNC6691, a China-based threat actor targeting cryptocurrency users.
GTIG warns that this trajectory “suggests an active market for ‘second hand’ zero-day exploits”, where advanced techniques are re-used and modified by multiple actors.
The Coruna kit is a “comprehensive collection” featuring five full exploit chains and a total of 23 exploits. The framework is “extremely well engineered,” utilizing a sophisticated JavaScript delivery system to fingerprint devices before launching the appropriate attack.
Key Exploits Identified:
| Type | Codename | Targeted versions (inclusive) | Fixed version | CVE |
| WebContent R/W | buffout | 13 β 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 β 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 β 16.1.2 | 16.2 | No CVE |
| WebContent R/W | terrorbird | 16.2 β 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 β 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
| WebContent PAC bypass | breezy | 13 β 14.x | ? | No CVE |
| WebContent PAC bypass | breezy15 | 15 β 16.2 | ? | No CVE |
| WebContent PAC bypass | seedbell | 16.3 β 16.5.1 | ? | No CVE |
| WebContent PAC bypass | seedbell_16_6 | 16.6 β 16.7.12 | ? | No CVE |
| WebContent PAC bypass | seedbell_17 | 17 β 17.2.1 | ? | No CVE |
| WebContent sandbox escape | IronLoader | 16.0 β 16.3.116.4.0 (<= A12) | 15.7.8, 16.5 | CVE-2023-32409 |
| WebContent sandbox escape | NeuronLoader | 16.4.0 β 16.6.1 (A13-A16) | 17.0 | No CVE |
| PE | Neutron | 13.X | 14.2 | CVE-2020-27932 |
| PE (infoleak) | Dynamo | 13.X | 14.2 | CVE-2020-27950 |
| PE | Pendulum | 14 β 14.4.x | 14.7 | No CVE |
| PE | Photon | 14.5 β 15.7.6 | 15.7.7, 16.5.1 | CVE-2023-32434 |
| PE | Parallax | 16.4 β 16.7 | 17.0 | CVE-2023-41974 |
| PE | Gruber | 15.2 β 17.2.1 | 16.7.6, 17.3 | No CVE |
| PPL Bypass | Quark | 13.X | 14.5 | No CVE |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
| PPL Bypass | Carbone | 15.0 β 16.7.6 | 17.0 | No CVE |
| PPL Bypass | Sparrow | 17.0 β 17.3 | 16.7.6, 17.4 | CVE-2024-23225 |
| PPL Bypass | Rocket | 17.1 β 17.4 | 16.7.8, 17.5 | CVE-2024-23296 |
One of the centerpieces is CVE-2024-23222, a WebKit vulnerability that was addressed by Apple in early 2024 but remained a potent weapon in the Coruna arsenal for unpatched devices.
Unlike typical surveillance tools designed for silent monitoring, the final payload of this kitβa stager called PlasmaLoaderβis laser-focused on financial theft.
The malware injects itself into the powerd daemon to run with root privileges. From there, it deploys modules designed to:
- Scan for Secrets: Analyze text for BIP39 recovery phrases or keywords like “bank account” in Apple Memos.
- Decode QR Codes: Extract information from images stored on the device.
- Hook Crypto Apps: Specifically target 19 different cryptocurrency wallet applications, including MetaMask, Trust Wallet, and Phantom, to exfiltrate assets.
Interestingly, researchers found that “all of these modules contain proper logging with sentences written in Chinese”, such as strings indicating the successful initialization of the payload manager. Some internal comments even appeared to be LLM-generated, adding a modern layer to the development process.
While Coruna is a powerful threat, it is ineffective against the latest versions of iOS. Users are strongly urged to update their devices immediately. For high-risk individuals unable to update, GTIG recommends that “Lockdown Mode be enabled for enhanced security”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
