Cybersecurity researchers have uncovered a powerful exploit framework known as Coruna, also referred to as CryptoWaters, that has been used to attack Apple iPhones running older versions of iOS.
According to researchers from the Google Threat Intelligence Group (GTIG), the toolkit includes multiple exploit chains designed to compromise iPhones running iOS 13 up to iOS 17.2.1. Devices running the latest iOS releases are not affected.
The toolkit contains five complete exploitation chains and at least 23 separate vulnerabilities, making it one of the most extensive exploit collections targeting iOS devices discovered so far.
A Sophisticated Exploit Framework
Security analysts say the technical sophistication of Coruna lies in the way the exploits are organized and deployed.
Rather than relying on a single vulnerability, the framework combines multiple exploitation techniques and mitigation bypass methods. These exploits are tied together through a well-structured framework that coordinates different attack stages.
Researchers say some of the techniques used in Coruna rely on non-public exploitation methods, suggesting the developers had access to advanced research or private vulnerability knowledge.
Exploit Kit Circulating Among Multiple Threat Actors
Investigators believe the exploit kit has been circulating since February 2025, moving through several different threat actors over time.
Initially, the toolkit appears to have been associated with a commercial surveillance vendor. Later it was used by a government-linked group, and by December 2025 it had reportedly reached a financially motivated cybercrime group operating out of China.
How the exploit kit moved between these groups is still unclear. However, researchers say the case highlights the growing secondary market for zero-day vulnerabilities, where advanced exploits are resold and reused by multiple attackers.
Security firm iVerify described Coruna as a major example of how tools originally designed for targeted surveillance can eventually spread to state actors and criminal groups.
Evidence of Large-Scale iPhone Exploitation
Traditionally, spyware targeting iPhones has been used in very limited and targeted attacks. However, researchers believe Coruna represents a shift toward broader, large-scale exploitation of Apple devices.
Google first discovered parts of the exploit chain in early 2025 while analyzing activity linked to a customer of an unnamed surveillance company.
The attack relied on a custom JavaScript framework that identifies a device before launching the exploit.
The script gathers information such as:
- The iPhone model
- The installed iOS version
- Whether the device is genuine
Once the system identifies a suitable target, it loads a WebKit remote code execution exploit tailored to the device.
One of the vulnerabilities used in the attack chain was CVE-2024-23222, a WebKit type confusion flaw patched by Apple in January 2024.
Attacks Observed on Compromised Websites
In July 2025, researchers observed the exploit framework being delivered through a malicious domain embedded inside compromised websites.
The infected sites were mainly Ukrainian and included pages related to:
- industrial equipment
- retail tools
- local services
- e-commerce platforms
The malicious code was loaded through a hidden iframe and only delivered to specific iPhone users based on their location.
Investigators believe a suspected Russian espionage group, tracked as UNC6353, may have been responsible for that campaign.
The exploit chain used during that operation combined several vulnerabilities, including:
- CVE-2024-23222
- CVE-2022-48503
- CVE-2023-43000
Later Campaign Targeted Chinese Financial Websites
A third wave of activity appeared in December 2025, when researchers discovered fake Chinese websites distributing the Coruna exploit kit.
Many of these sites were related to finance and encouraged visitors to open them using an iPhone or iPad for a “better experience.”
Once accessed on an Apple device, a hidden iframe injected the exploit kit into the session. Unlike the earlier campaign, this stage did not limit victims by geographic location.
This operation has been linked to a threat cluster known as UNC6691.
Malware Payload: PlasmaLoader
After exploitation, attackers deployed a loader malware called PlasmaLoader (also known as PLASMAGRID).
The malware can:
- decode QR codes hidden inside images
- download additional attack modules
- extract sensitive information from crypto wallets and apps
Applications reportedly targeted include:
- Base
- Bitget Wallet
- Exodus
- MetaMask
Researchers say the malware uses a list of hard-coded command-and-control servers. If those servers fail to respond, the malware can generate new domains automatically using a domain generation algorithm (DGA) seeded with the word “lazarus.”
The generated domains are typically 15 characters long and use the .xyz domain extension.
Lockdown Mode Blocks the Exploit
One notable discovery is that the Coruna exploit kit refuses to run on devices using Apple’s Lockdown Mode. It also avoids executing if the user is browsing in private mode.
Security experts say this suggests the attackers deliberately built safeguards to avoid detection on highly secured devices.
How iPhone Users Can Protect Themselves
Researchers recommend several steps to reduce risk:
- Keep iOS updated to the latest version
- Enable Lockdown Mode if you are a high-risk user
- Avoid visiting unknown websites on mobile devices
- Install security updates as soon as they are released
Keeping devices updated remains the most effective defense against exploit kits targeting older versions of iOS.
SEO Content for Your Blog
SEO Title Ideas
- New “Coruna” iPhone Exploit Kit Targets iOS 13–17 Devices
- Mass iPhone Exploit Campaign Discovered by Google Researchers
- Coruna iOS Exploit Kit: 23 Vulnerabilities Used to Attack iPhones
- Cybercriminals Reuse Spyware Exploits to Target Apple Devices
- Major iPhone Security Threat Discovered: Coruna Exploit Framework
SEO Keywords
- iPhone exploit kit
- Coruna exploit
- iOS vulnerabilities
- iPhone spyware attack
- Apple WebKit vulnerability
- iOS security threat
- zero-day exploit iPhone
- Apple device hacking
- cybersecurity news iOS
- mobile security threats
Meta Description
Researchers have discovered the Coruna exploit kit targeting iPhones running iOS 13 to 17.2.1. The toolkit uses 23 vulnerabilities and multiple exploit chains in large-scale mobile attacks.