Google Exposes "Coruna" iOS Exploit Kit: 23 Exploits Across Five Chains Targeting iPhones
Google's Threat Intelligence Group discloses Coruna (aka CryptoWaters), a powerful iOS exploit kit with 23 exploits across five full chains targeting iOS 13-17.2.1 — originally used by a surveillance vendor, now weaponized for cryptocurrency theft by Chinese-speaking cybercrime groups.
Google's Threat Intelligence Group (GTIG) has disclosed Coruna, a powerful iOS exploit kit containing 23 exploits organized into five full exploit chains that target Apple iPhones running iOS versions 13.0 through 17.2.1. The kit, also tracked as CryptoWaters, represents one of the most comprehensive iOS exploit frameworks ever publicly documented.
Origin and Evolution
GTIG tracked Coruna's evolution through three distinct phases. Initially, the kit was used in "highly targeted operations" by a customer of a commercial surveillance vendor — the type of operation typically associated with government intelligence agencies. It was then observed in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. Most recently, in late 2025 and early 2026, a Chinese-speaking financially motivated group tracked as UNC6691 acquired the kit and pivoted its use entirely to cryptocurrency theft.
Technical Sophistication
The kit's five exploit chains include non-public exploitation techniques and mitigation bypasses that demonstrate access to advanced vulnerability research. The 23 individual exploits target various iOS components including WebKit, the kernel, and sandbox escape mechanisms. Notably, Coruna includes a self-defense mechanism: it detects and skips execution on devices running in Lockdown Mode or using private browsing — suggesting awareness of Apple's advanced security features and a desire to avoid triggering detection by security-conscious targets.
Defense Recommendations
Apple has patched the vulnerabilities exploited by Coruna in iOS 17.3 and later versions. Users running iOS 17.2.1 or earlier are vulnerable and should update immediately. Google and iVerify recommend enabling Lockdown Mode for users who face elevated threat levels, as the kit explicitly avoids devices with Lockdown Mode active. The disclosure highlights the ongoing market for iOS exploits and the lifecycle of such tools: originally developed for state-sponsored surveillance, they eventually leak or are sold to criminal groups, broadening the population of potential victims from targeted individuals to the general public.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.