Cybersecurity

Cyber: Coruna Ios Exploit Kit Uses 23 Exploits Across Five Chains...

2026-03-04 0 views admin
Cyber: Coruna Ios Exploit Kit Uses 23 Exploits Across Five Chains...

Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.

The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It's not effective against the latest version of iOS. The findings were first reported by WIRED.

"The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses," according to GTIG. "The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks."

The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December.

It's currently not known how the exploit kit changed hands, but the findings point to an active market for second-hand zero-day exploits, allowing other threat actors to reuse them for their own objectives. In a related report, iVerify said the exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.

"Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations," iVerify said.

The mobile security vendor said the use of the sophisticated exploit framework marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment.

Google said it first captured parts of an iOS exploit chain used by a customer of an unnamed surveillance company early last year, with the exploits integrated into a never-before-seen JavaScript framework. The framework is designed to fingerprint the device to determine if it's real and gather details, including the specific iPhone model and iOS software version it is running.

The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by executing a pointer authentication code (PAC) bypass. The exploit in questio

Source: The Hacker News

🏷️ Tags

securityattackthreatexploitzero-day

More from Cybersecurity

Cyber: Mississippi Medical Center Reopens Clinics Hit By Ransomware Attack

Cyber: Mississippi Medical Center Reopens Clinics Hit By Ransomware Attack

2026-03-04 0
Cyber: How A Brute Force Attack Unmasked A Ransomware Infrastructure Network

Cyber: How A Brute Force Attack Unmasked A Ransomware Infrastructure Network

2026-03-04 0
Cyber: New Rfp Template For AI Usage Control And AI Governance 2026

Cyber: New Rfp Template For AI Usage Control And AI Governance 2026

2026-03-04 0
Cyber: Critical China's Silver Dragon Razes Governments In Eu, Se Asia

Cyber: Critical China's Silver Dragon Razes Governments In Eu, Se Asia

2026-03-04 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views