{"id":11097,"date":"2026-03-04T10:04:15","date_gmt":"2026-03-04T10:04:15","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/04\/coruna-exploit-kit-with-23-exploits-hacked-thousands-of-iphones\/"},"modified":"2026-03-04T10:04:15","modified_gmt":"2026-03-04T10:04:15","slug":"coruna-exploit-kit-with-23-exploits-hacked-thousands-of-iphones","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/04\/coruna-exploit-kit-with-23-exploits-hacked-thousands-of-iphones\/","title":{"rendered":"Coruna Exploit Kit With 23 Exploits Hacked Thousands of iPhones"},"content":{"rendered":"<p>    Coruna Exploit Kit With 23 Exploits Hacked Thousands of iPhones<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Google\u2019s Threat Intelligence Group (GTIG) has uncovered Coruna, a <a href=\"https:\/\/cybersecuritynews.com\/apple-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">sophisticated iOS exploit kit<\/a> containing 23 exploits across five full exploit chains that compromised thousands of iPhones running iOS 13.0 through 17.2.1 throughout 2025.<\/p>\n<p>The Coruna exploit kit is an advanced, modular iOS attack framework discovered by GTIG targeting Apple iPhone models from iOS 13.0 (September 2019) to iOS 17.2.1 (December 2023).<\/p>\n<p>The kit\u2019s name was uncovered when one threat actor mistakenly deployed a debug version of the framework, exposing internal code names and the kit\u2019s own identity.<\/p>\n<p>Its exploits feature extensive documentation written in native English, with the most advanced components leveraging non-public exploitation techniques and mitigation bypasses, a hallmark of nation-state-grade tooling.<\/p>\n<h2 class=\"wp-block-heading\" id=\"three-phase-proliferation-timeline\"><strong>Three-Phase Exploit Timeline<\/strong><\/h2>\n<p><a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/coruna-powerful-ios-exploit-kit?linkId=59478481\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GTIG tracked Coruna moving through<\/a> three distinct threat actor ecosystems over the course of 2025, a rare window into how elite exploit kits proliferate from commercial surveillance vendors to state-sponsored espionage groups and finally to financially motivated criminals.<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>February 2025 \u2013 Commercial Surveillance Customer:<\/strong> GTIG first captured parts of an iOS exploit chain delivered through a previously unseen JavaScript framework using unique obfuscation techniques. The framework fingerprinted devices to identify the iPhone model and iOS version before loading the appropriate WebKit remote code execution (RCE) exploit followed by a Pointer Authentication Code (PAC) bypass.<\/li>\n<li>\n<strong>Summer 2025 \u2013 Russian Espionage (UNC6353):<\/strong> The identical JavaScript framework was found hosted on <code>cdn.uacounter[.]com<\/code>, injected as a hidden iFrame across dozens of compromised Ukrainian websites spanning industrial, retail, and ecommerce sectors. The exploits were selectively delivered based on geolocation to iPhone users. GTIG alerted CERT-UA to clean up all affected websites.<\/li>\n<li>\n<strong>Late 2025 \u2013 Chinese Financial Fraud (UNC6691):<\/strong> The complete exploit kit was retrieved from a large network of fake Chinese financial and cryptocurrency websites designed to lure iOS users. One fake WEEX crypto exchange site displayed pop-ups specifically urging users to visit via iPhone.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj-J6J5V7kcKxrIoTyyqnw5JaiCWBv_IOkBSsCFveN-jM_RBF1f3Lmp3Tzc02Ul6588LLvGSFPI7z5nNtw3-4vX5sR3PnT8rOM0EjvbH91ovyideRr5SMd7mlp_L5EbpAn0jChG1idRvd_mbGJIgXFsAZ2WcGesm07RWIPOfUJ304ct_YHE40Xwa_IKHA-d\/s16000\/coruna%2520exploit%2520timeline.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Coruna Exploit timeline (Source: Google)<\/figcaption><\/figure>\n<p>The 23 exploits span five full exploit chains that deliver WebKit RCE, PAC bypasses, sandbox escapes, privilege escalation (PE), and PPL (Page Protection Layer) bypasses. Key CVEs include:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Type<\/th>\n<th>Code Name<\/th>\n<th>Targeted iOS Versions<\/th>\n<th>CVE<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>WebContent R\/W<\/td>\n<td>buffout<\/td>\n<td>13 \u2192 15.1.1<\/td>\n<td>CVE-2021-30952<\/td>\n<\/tr>\n<tr>\n<td>WebContent R\/W<\/td>\n<td>jacurutu<\/td>\n<td>15.2 \u2192 15.5<\/td>\n<td>CVE-2022-48503<\/td>\n<\/tr>\n<tr>\n<td>WebContent R\/W<\/td>\n<td>terrorbird<\/td>\n<td>16.2 \u2192 16.5.1<\/td>\n<td>CVE-2023-43000<\/td>\n<\/tr>\n<tr>\n<td>WebContent R\/W<\/td>\n<td>cassowary<\/td>\n<td>16.6 \u2192 17.2.1<\/td>\n<td><a href=\"https:\/\/cybersecuritynews.com\/apple-critical-zero-day-flaw-patched\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2024-23222<\/a><\/td>\n<\/tr>\n<tr>\n<td>Sandbox Escape<\/td>\n<td>IronLoader<\/td>\n<td>16.0 \u2192 16.3.1<\/td>\n<td><a href=\"https:\/\/cybersecuritynews.com\/apple-fixes-zero-day-flaw\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2023-32409<\/a><\/td>\n<\/tr>\n<tr>\n<td>PE<\/td>\n<td>Photon<\/td>\n<td>14.5 \u2192 15.7.6<\/td>\n<td><a href=\"https:\/\/cybersecuritynews.com\/ios-0-day-kernel-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2023-32434<\/a><\/td>\n<\/tr>\n<tr>\n<td>PPL Bypass<\/td>\n<td>Gallium<\/td>\n<td>14.x<\/td>\n<td><a href=\"https:\/\/cybersecuritynews.com\/apple-fixes-zero-day-flaw\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2023-38606<\/a><\/td>\n<\/tr>\n<tr>\n<td>PPL Bypass<\/td>\n<td>Sparrow<\/td>\n<td>17.0 \u2192 17.3<\/td>\n<td><a href=\"https:\/\/cybersecuritynews.com\/hackers-exploit-ios-zero-day-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2024-23225<\/a><\/td>\n<\/tr>\n<tr>\n<td>PPL Bypass<\/td>\n<td>Rocket<\/td>\n<td>17.1 \u2192 17.4<\/td>\n<td><a href=\"https:\/\/cybersecuritynews.com\/apple-safari-zero-day-exploit-patch\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2024-23296<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">Two exploits,<\/span>\u00a0Photon\u00a0and\u00a0Gallium,\u00a0target <a href=\"https:\/\/cybersecuritynews.com\/apples-imageio-zero-day\/\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerabilities previously used in Operation Triangulation<\/a>, the Kaspersky-discovered iOS espionage campaign from 2023.<\/p>\n<h2 class=\"wp-block-heading\" id=\"plasmaloader-the-financial-theft-payload\"><strong>PlasmaLoader: The Financial Theft Payload<\/strong><\/h2>\n<p>At the end of the exploit chain, a stager binary called PlasmaLoader (tracked as PLASMAGRID) injects itself into <code>powerd<\/code>, a root-level iOS daemon, using <code>com.apple.assistd<\/code> as a masquerading identifier.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhtjrEJHtssjV13lM1lfDtxN-5w0tGvvnvBH-BtgvjNI8hTWPjofoM5xX5hBbqNlWcyrCBlB22ZkO6_2262h2gaY_mKkdk2t1cYUCTuPxWoztsD5e44uWb8gwyy4AHZ7U4juTJv2ROeismC7utMajLStydRFpM8CEConB42ajq0AkEtQqyPBSJ-hAihYKpO\/s16000\/corepayload.png?ssl=1\" alt=\"\"><\/figure>\n<p>The payload targets 18 cryptocurrency wallet applications, including MetaMask, BitKeep, and Phantom, by hooking their functions to exfiltrate sensitive data.<\/p>\n<p>It can also scan Apple Notes for BIP39 seed phrases and keywords like \u201cbackup phrase\u201d or \u201cbank account.\u201d All logging strings and code comments are written in Chinese, with evidence of LLM-generated comment structures, strongly pointing to Chinese-speaking developers.<\/p>\n<p>Network communication uses HTTPS with AES encryption, while a custom Domain Generation Algorithm (DGA) seeded with the string \u201clazarus\u201d generates fallback <code>.xyz<\/code> domains with 15 characters, validated via Google\u2019s public DNS resolver.<\/p>\n<p>GTIG has added all identified domains and websites to Google Safe Browsing. The Coruna exploit kit is not effective against the latest version of iOS. Security teams and users should act on the following:helpnetsecurity+1<\/p>\n<ul class=\"wp-block-list\">\n<li>Immediately update all iPhones to the latest iOS version.<\/li>\n<li>Enable Lockdown Mode if updating is not possible \u2014 Coruna actively bails out when Lockdown Mode is detected.<\/li>\n<li>Avoid private or unverified financial\/crypto websites accessed via mobile Safari.<\/li>\n<li>Monitor for anomalous network requests to <code>.xyz<\/code> domains or HTTP headers <code>sdkv<\/code> and <code>x-ts<\/code> as potential C2 indicators.<\/li>\n<\/ul>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/coruna-ios-exploit-kit\/\">Coruna Exploit Kit With 23 Exploits Hacked Thousands of iPhones<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/coruna-ios-exploit-kit\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Coruna Exploit Kit With 23 Exploits Hacked Thousands of iPhones Google\u2019s Threat Intelligence Group (GTIG) has uncovered Coruna, a sophisticated iOS exploit kit containing 23 exploits across five full exploit chains that compromised thousands of iPhones running iOS 13.0 through 17.2.1 throughout 2025. The Coruna exploit kit is an advanced, modular iOS attack framework discovered [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-11097","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11097"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11097"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11097\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}