INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Apple patches Coruna exploit kit flaws in iOS 15.0

| 2026-03-12 17:49 CRITICAL HIGH
JSON
Executive Summary AI-generated
The Coruna exploit kit has been quietly spreading its influence across the globe, targeting highly targeted attacks on Ukrainian users by a suspected Russian espionage group. Initially observed in watering hole attacks against Apple iPhone models running iOS version 13.0 to 17.2.1, the threat actor used fake finance and crypto-related websites to deliver the exploit kit. The framework was later seen being deployed again in summer, this time targeting iPhone users visiting compromised Ukrainian websites for ecommerce, industrial equipment and retail tools, and local services. As of March 12, Apple had patched vulnerabilities used in the Coruna exploit kit for older mobile devices that can no longer be updated to the latest iOS version. However, newer iOS versions have already been shipped with patches associated with the exploit, providing a temporary reprieve from the threat. The incident highlights the ongoing cat-and-mouse game between cybercriminals and tech companies, as they seek to stay one step ahead of each other in their pursuit of intellectual property theft and espionage.
Technical Mitigations AI-generated
* Use a reputable antivirus software and keep it up to date, as many malwarebytes solutions can help protect against spyware-grade Coruna iOS exploit kits. * Regularly update your iPhone or iPad to the latest iOS version (if available) and enable Automatic Updates if not already set up. This will ensure you have the latest security patches and fixes. * Be cautious when using public Wi-Fi networks, as they may be vulnerable to man-in-the-middle attacks that could compromise your device's security. * Use a VPN (Virtual Private Network) when accessing sensitive information or making online transactions, as it can help protect against data breaches by encrypting your internet traffic.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation Triangulation OfOperation Triangulation OfOperation TriangulationOperation Triangulation CVE-2022-48503CVE-2022-48503 CVE-2023-43000CVE-2023-43000 CVE-2023-41974CVE-2023-41974 CVE-2020-27932CVE-2020-27932 CVE-2024-23222CVE-2024-23222 CVE-2023-38606CVE-2023-38606 CVE-2023-32434CVE-2023-32434
Target & Sectors
UA CN RU
financefinance governmentgovernment retailretail
Incident Timeline
September 2019
Threat actors used a Coruna exploit kit to target Apple iPhone models running iOS version 13.0 up to version 17.2.1, exploiting vulnerabilities in these versions of the operating system.
infrastructure Ios
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
general_metric 23 exploits
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
infrastructure 17.2.1
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
general_metric 13.0 iOS versions
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
infrastructure 13.0
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
organisation Google
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
June 2023
Threat actors used Kaspersky to discover iPhones on its network that had been compromised by Operation Triangulation.
campaign Operation Triangulation
Some of the exploits reuse vulnerabilities first identified during Operation Triangulation , which was uncovered in June 2023 by Kaspersky after the cybersecurity firm discovered that several iPhones on its network had been compromised.
organisation Kaspersky
Some of the exploits reuse vulnerabilities first identified during Operation Triangulation , which was uncovered in June 2023 by Kaspersky after the cybersecurity firm discovered that several iPhones on its network had been compromised.
organisation iPhones
Some of the exploits reuse vulnerabilities first identified during Operation Triangulation , which was uncovered in June 2023 by Kaspersky after the cybersecurity firm discovered that several iPhones on its network had been compromised.
July 2023
Threat actors exploited CVE-2023-43000 in older versions of iOS and iPadOS, which were patched by Apple.
infrastructure Ios
It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
vulnerability CVE-2023-43000
It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
infrastructure 16.6
It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
infrastructure 16.6 iPadOS
It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
December 2023
Threat actors used a Coruna exploit kit to target older iOS versions.
infrastructure Ios
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
In the latest security updates , Apple patched the vulnerabilities used in the Coruna exploit kit for older mobile devices that can no longer be updated to the latest iOS version.
For newer iOS versions, patches associated with the Coruna exploit were already shipped in iOS 16.6 through 17.2 in updates released in 2023 and 2024.
How to update your iPhone or iPad For iOS and iPadOS users, here’s how to check if you’re using the latest software version: Go to  Settings  >  General  >  Software Update .
infrastructure 13.0
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
infrastructure 17.2.1
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
general_metric 13.0 iOS versions
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
general_metric 23 exploits
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
organisation Google
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
infrastructure 16.6
For newer iOS versions, patches associated with the Coruna exploit were already shipped in iOS 16.6 through 17.2 in updates released in 2023 and 2024.
infrastructure 17.2
For newer iOS versions, patches associated with the Coruna exploit were already shipped in iOS 16.6 through 17.2 in updates released in 2023 and 2024.
organisation iPad
How to update your iPhone or iPad For iOS and iPadOS users, here’s how to check if you’re using the latest software version: Go to  Settings  >  General  >  Software Update .
organisation WebKit
The exploit relies on WebKit vulnerabilities ( CVE-2023-43000 and CVE-2024-23222 ) that can be triggered by processing  maliciously crafted web content, and then gains kernel privileges by abusing a separate kernel vulnerability tracked as CVE-2023-41974 .
organisation CVE-2023-43000
The exploit relies on WebKit vulnerabilities ( CVE-2023-43000 and CVE-2024-23222 ) that can be triggered by processing  maliciously crafted web content, and then gains kernel privileges by abusing a separate kernel vulnerability tracked as CVE-2023-41974 .
organisation CVE-2023-41974
The exploit relies on WebKit vulnerabilities ( CVE-2023-43000 and CVE-2024-23222 ) that can be triggered by processing  maliciously crafted web content, and then gains kernel privileges by abusing a separate kernel vulnerability tracked as CVE-2023-41974 .
January 22, 2024
Threat actors exploited a vulnerability in older iOS versions to gain unauthorized access.
infrastructure Ios
Apple had addressed the flaw in iOS 17.3 on January 22, 2024, after it was exploited in zero-day attacks.
organisation Apple
Apple had addressed the flaw in iOS 17.3 on January 22, 2024, after it was exploited in zero-day attacks.
January 2024
Threat actors used a WebKit vulnerability, CVE-2024-23222, to target older versions of iOS and iPadOS.
infrastructure Ios
The exploit in question relates to CVE-2024-23222 , a type confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.
vulnerability CVE-2024-23222
The exploit in question relates to CVE-2024-23222 , a type confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.
February 2025
Threat actors used a Coruna exploit kit to target older iOS versions.
attribution Google Threat Intelligence Group
Google Threat Intelligence Group (GTIG) researchers first observed activity related to the Coruna exploit kit in February 2025, in activity attributed to a surveillance vendor customer.
infrastructure Ios
The company first started tracking Coruna in February 2025, after capturing "parts of an iOS exploit chain used by a customer of a surveillance company.
industry Government
" The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December.
source_region China
" The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December.
2025-03-04
Threat actors used a T1059.007 JavaScript exploit kit to target older iOS versions on 2025-03-04.
infrastructure Ios
Google said it first captured parts of an iOS exploit chain used by a customer of an unnamed surveillance company early last year, with the exploits integrated into a never-before-seen JavaScript framework.
tactic T1059.007 - JavaScript
Google said it first captured parts of an iOS exploit chain used by a customer of an unnamed surveillance company early last year, with the exploits integrated into a never-before-seen JavaScript framework.
late 2025
Threat actors used a fake Chinese gambling and crypto website to distribute the Coruna exploit kit.
target_region China
In late 2025, the exploit kit appeared on various fake Chinese gambling and crypto websites.
summer 2025
Threat actors exploited vulnerabilities in older iOS versions to gain access to targeted Ukrainian websites.
target_region Ukraine
Suggesting some degree of Russian use, in summer 2025 GTIG saw some campaigns targeting Ukrainian websites related to a range of matters such as industrial equipment, local services, and ecommerce.
target_region Russian Federation
Suggesting some degree of Russian use, in summer 2025 GTIG saw some campaigns targeting Ukrainian websites related to a range of matters such as industrial equipment, local services, and ecommerce.
the end of 2025
Threat actors used a framework to target older iOS versions, hosting it on fake Chinese websites related to finance and cryptocurrency.
industry Finance
At the end of 2025, the same framework was also being hosted by "a very large set of fake Chinese websites," most of which related to finance and cryptocurrency.
target_region China
At the end of 2025, the same framework was also being hosted by "a very large set of fake Chinese websites," most of which related to finance and cryptocurrency.
July 2025
Threat actors exploited a Coruna exploit kit flaw in older iOS versions by using the same JavaScript framework on compromised Ukrainian websites.
target_region Ukraine
Fast forward to July 2025, the same JavaScript framework was detected on the domain "cdn.uacounter[.]com," which was loaded as a hidden iFrame on compromised Ukrainian websites.
tactic T1059.007 - JavaScript
Fast forward to July 2025, the same JavaScript framework was detected on the domain "cdn.uacounter[.]com," which was loaded as a hidden iFrame on compromised Ukrainian websites.
observable cdn.uacounter
Fast forward to July 2025, the same JavaScript framework was detected on the domain "cdn.uacounter[.]com," which was loaded as a hidden iFrame on compromised Ukrainian websites.
November 11, 2025
Threat actors used a previously unknown exploit kit to target older iOS versions.
December 2025
Threat actors exploited a vulnerability in the T1059.007 JavaScript framework to target older versions of iOS in December 2025.
tactic T1059.007 - JavaScript
The third time the JavaScript framework was detected in the wild was in December 2025.
March 3, 2026
Threat actors used a previously unknown exploit in the Coruna vulnerability to target Apple iPhone models running iOS version 13.0 up to version 17.2.1 on March 3, 2026.
infrastructure Ios
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
infrastructure 13.0
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
infrastructure 17.2.1
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
general_metric 13.0 iOS versions
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
organisation Google
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
2026-03-12
The Coruna iOS exploit kit uses 23 exploits across five chains targeting iOS 13-17.2.1, including WebKit remote code execution and pointer authentication bypasses.
infrastructure Ios
Keep threats off your mobile devices by  downloading Malwarebytes for iOS , and Malwarebytes for Android today.
The threat actor used fake finance and crypto-related websites to deliver the exploit kit by trying to convince visitors to use iOS devices when loading the pages.
A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience.
A previously undocumented set of 23 iOS exploits named “Coruna” has been deployed by multiple threat actors in targeted espionage campaigns and financially motivated attacks.
Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks.
At the time, researchers obtained the JavaScript delivery framework along with the exploit for CVE-2024-23222, a WebKit vulnerability that enables remote code execution on iOS 17.2.1.
Coruna exploit chain for iOS 15.8.5 Source: Google Dropping PlasmaGrid GTIG's analysis found that one of the final payloads delivered after a Coruna exploit chain was a stager loader called PlasmaLoader, which the researchers track as PlasmaGrid, that is injected into the ‘powerd’ iOS root daemon.
" Google has added to Safe Browsing all websites and domains identified while analyzing the Coruna exploit kit, and recommends iOS users to upgrade to the latest version.
The websites were crafted to encourage users to visit them on their iOS devices, and in doing so, the hidden iFrame was injected and the exploit kit was installed.
"CVE-2023-32434 gives an attacker full control over the deepest layer of iOS – the kernel, which governs everything the phone does.
Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1.
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said.
It's not effective against the latest version of iOS.
"The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses," according to GTIG.
The mobile security vendor said the use of the sophisticated exploit framework marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment.
The framework is designed to fingerprint the device to determine if it's real and gather details, including the specific iPhone model and iOS software version it is running.
Once these websites are accessed via an iOS device, a hidden iFrame is injected to deliver the Coruna exploit kit containing CVE-2024-23222.
Further analysis of the threat actor's infrastructure led to the discovery of a debug version of the exploit kit, along with various samples covering five full iOS exploit chains.
A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified.
Some of the CVEs exploited by the kit and the corresponding iOS versions they targeted are listed below - "Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation ," Google said.
Apple patches Coruna exploit kit flaws for older iOS versions.
infrastructure Android
Keep threats off your mobile devices by  downloading Malwarebytes for iOS , and Malwarebytes for Android today.
organisation UNC6353
The same obfuscated framework was observed again in summer, when suspected Russian cyberspies tracked as UNC6353 deployed it in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites for ecommerce, industrial equipment and retail tools, and local services.
organisation Kaspersky
Russian cybersecurity outfit Kaspersky is waving away claims that an iPhone exploit kit recently uncovered by Google was developed by the same people who were behind a group of zero-days that allegedly compromised thousands of Russian diplomats in a 2023 campaign.
organisation Google
Russian cybersecurity outfit Kaspersky is waving away claims that an iPhone exploit kit recently uncovered by Google was developed by the same people who were behind a group of zero-days that allegedly compromised thousands of Russian diplomats in a 2023 campaign.
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
Google attributes the activity to the financially motivated Chinese threat actor UNC6691.
organisation iPhone
A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience.
organisation iPad
A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience.
organisation WebKit
At the time, researchers obtained the JavaScript delivery framework along with the exploit for CVE-2024-23222, a WebKit vulnerability that enables remote code execution on iOS 17.2.1.
The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503 , and CVE-2023-43000 , the last of which is a use-after-free flaw in WebKit.
organisation PlasmaLoader
Coruna exploit chain for iOS 15.8.5 Source: Google Dropping PlasmaGrid GTIG's analysis found that one of the final payloads delivered after a Coruna exploit chain was a stager loader called PlasmaLoader, which the researchers track as PlasmaGrid, that is injected into the ‘powerd’ iOS root daemon.
" UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that's designed to decode QR codes from images and run additional modules retrieved from an external server, allowing it to exfiltrate cryptocurrency wallets or sensitive information from various apps like Base, Bitget Wallet, Exodus, and MetaMask, among others.
organisation PlasmaGrid
Coruna exploit chain for iOS 15.8.5 Source: Google Dropping PlasmaGrid GTIG's analysis found that one of the final payloads delivered after a Coruna exploit chain was a stager loader called PlasmaLoader, which the researchers track as PlasmaGrid, that is injected into the ‘powerd’ iOS root daemon.
organisation Safe Browsing
" Google has added to Safe Browsing all websites and domains identified while analyzing the Coruna exploit kit, and recommends iOS users to upgrade to the latest version.
infrastructure 13.0
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
infrastructure 17.2.1
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified.
organisation Apple
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
Apple patches Coruna exploit kit flaws for older iOS versions.
CVE-2023-38606 goes a step further: it exploited a previously undocumented feature of Apple's own chips to bypass security protections that operate at the hardware level.
organisation CryptoWaters
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
organisation CVE-2024-23222
Once these websites are accessed via an iOS device, a hidden iFrame is injected to deliver the Coruna exploit kit containing CVE-2024-23222.
organisation AES
The stolen data is encrypted with AES prior to exfiltration and sent to hardcoded C2 addresses.
organisation CVE-2020-27932
CVE-2024-23222 (8.8), a WebKit bug, was codenamed "cassowary," for example, and CVE-2020-27932 (7.8), a kernel type confusion flaw, was referred to as "Neutron," to name only two.
organisation CVE-2023-43000
The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503 , and CVE-2023-43000 , the last of which is a use-after-free flaw in WebKit.
organisation CVE-2022
The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503 , and CVE-2023-43000 , the last of which is a use-after-free flaw in WebKit.
organisation PAC
The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by executing a pointer authentication code (PAC) bypass.
organisation iPhones
"  Through various campaigns since then, GTIG learned more about its makeup, with the most advanced exploits using non-public techniques bundled into novel JavaScript frameworks to pwn iPhones.
organisation Operation Triangulation
While GTIG made no such suggestions itself, the crossover between some of the same vulnerabilities used in 2023's Operation Triangulation, which Moscow alleged was a National Security Agency job , and those that comprise Coruna, raised questions about how involved the US was in the development and/or use of the exploit kit.
organisation National Security Agency
While GTIG made no such suggestions itself, the crossover between some of the same vulnerabilities used in 2023's Operation Triangulation, which Moscow alleged was a National Security Agency job , and those that comprise Coruna, raised questions about how involved the US was in the development and/or use of the exploit kit.
organisation CVE-2023-32434
The crossover with Operation Triangulation Of particular interest were CVE-2023-32434 (7.8) and CVE-2023-38606 (5.5), codenamed Photon and Gallium respectively, two vulnerabilities that were exploited as part of the four zero-days that underpinned Operation Triangulation.
organisation CVE-2023-38606
The crossover with Operation Triangulation Of particular interest were CVE-2023-32434 (7.8) and CVE-2023-38606 (5.5), codenamed Photon and Gallium respectively, two vulnerabilities that were exploited as part of the four zero-days that underpinned Operation Triangulation.
organisation Operation Triangulation Of
The crossover with Operation Triangulation Of particular interest were CVE-2023-32434 (7.8) and CVE-2023-38606 (5.5), codenamed Photon and Gallium respectively, two vulnerabilities that were exploited as part of the four zero-days that underpinned Operation Triangulation.
organisation Photon and Gallium
The crossover with Operation Triangulation Of particular interest were CVE-2023-32434 (7.8) and CVE-2023-38606 (5.5), codenamed Photon and Gallium respectively, two vulnerabilities that were exploited as part of the four zero-days that underpinned Operation Triangulation.
organisation FSB
Operation Triangulation was itself publicized by Kaspersky in 2023, which the FSB alleged at the time was a National Security Agency job .
organisation UNC6691
Google attributes the activity to the financially motivated Chinese threat actor UNC6691.
The activity is attributed to a threat cluster tracked as UNC6691.
organisation Uniswap
It downloads from a command-and-control (C2) server additional modules that target cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap.
organisation DGA
For takedown resilience, the implant also includes a domain generation algorithm (DGA) seeded with the string "lazarus" that produces .xyz domains.
"The implant embeds a custom domain generation algorithm (DGA) using the string 'lazarus' as a seed to generate a list of predictable domains.
organisation iVerify
Mobile security company iVerify says that Coruna is one of the clearest examples to date of "sophisticated spyware-grade capabilities" that migrated "from commercial surveillance vendors into the hands of nation-state actors and, ultimately, mass-scale criminal operations.
Rocky Cole, cofounder of iVerify, told Wired after reviewing Coruna's code that he believed the US may have been behind Coruna's development.
organisation Wired
Rocky Cole, cofounder of iVerify, told Wired after reviewing Coruna's code that he believed the US may have been behind Coruna's development.
organisation GTIG
Apart from the vulnerabilities included in the Corona exploit kit and their codenames, GTIG's report also includes indicators of compromise for the implant and modules delivered via the cryptocurrency-related websites, and attack infrastructure.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
organisation The Register
" However, Boris Larin, principal security researcher at Kaspersky GReAT, told The Register on Wednesday: "We see no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors." What is Coruna?
organisation Triangulation
It also remains entirely possible that Photon and Gallium were stripped from the Triangulation exploit package and added to Coruna after Kaspersky uncovered the attacks, or were unwittingly mimicked by equally talented attackers.
organisation TLD
The domains will have 15 characters and use .xyz as a TLD.
organisation DNS
The attackers use Google's public DNS resolver to validate if the domains are active.
Tactical Metrics
Metrics
infrastructure
​Ios
Affected Product
The threat actor used fake finance and crypto-related websites to deliver the exploit kit by trying to convince visitors to use iOS devices when loading the pages.
A previously undocumented set of 23 iOS exploits named “Coruna” has been deployed by multiple threat actors in targeted espionage campaigns and financially motivated attacks.
Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks.
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
At the time, researchers obtained the JavaScript delivery framework along with the exploit for CVE-2024-23222, a WebKit vulnerability that enables remote code execution on iOS 17.2.1.
Apple had addressed the flaw in iOS 17.3 on January 22, 2024, after it was exploited in zero-day attacks.
Coruna exploit chain for iOS 15.8.5 Source: Google Dropping PlasmaGrid GTIG's analysis found that one of the final payloads delivered after a Coruna exploit chain was a stager loader called PlasmaLoader, which the researchers track as PlasmaGrid, that is injected into the ‘powerd’ iOS root daemon.
" Google has added to Safe Browsing all websites and domains identified while analyzing the Coruna exploit kit, and recommends iOS users to upgrade to the latest version.
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
The company first started tracking Coruna in February 2025, after capturing "parts of an iOS exploit chain used by a customer of a surveillance company.
The websites were crafted to encourage users to visit them on their iOS devices, and in doing so, the hidden iFrame was injected and the exploit kit was installed.
"CVE-2023-32434 gives an attacker full control over the deepest layer of iOS – the kernel, which governs everything the phone does.
A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience.
Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1.
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said.
It's not effective against the latest version of iOS.
"The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses," according to GTIG.
The mobile security vendor said the use of the sophisticated exploit framework marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment.
Google said it first captured parts of an iOS exploit chain used by a customer of an unnamed surveillance company early last year, with the exploits integrated into a never-before-seen JavaScript framework.
The framework is designed to fingerprint the device to determine if it's real and gather details, including the specific iPhone model and iOS software version it is running.
The exploit in question relates to CVE-2024-23222 , a type confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5.
It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
Once these websites are accessed via an iOS device, a hidden iFrame is injected to deliver the Coruna exploit kit containing CVE-2024-23222.
Further analysis of the threat actor's infrastructure led to the discovery of a debug version of the exploit kit, along with various samples covering five full iOS exploit chains.
A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified.
Some of the CVEs exploited by the kit and the corresponding iOS versions they targeted are listed below - "Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation ," Google said.
Apple patches Coruna exploit kit flaws for older iOS versions.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
In the latest security updates , Apple patched the vulnerabilities used in the Coruna exploit kit for older mobile devices that can no longer be updated to the latest iOS version.
For newer iOS versions, patches associated with the Coruna exploit were already shipped in iOS 16.6 through 17.2 in updates released in 2023 and 2024.
How to update your iPhone or iPad For iOS and iPadOS users, here’s how to check if you’re using the latest software version: Go to  Settings  >  General  >  Software Update .
Keep threats off your mobile devices by  downloading Malwarebytes for iOS , and Malwarebytes for Android today.
Metrics
infrastructure
​13.0
Software Version
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
Metrics
infrastructure
​17.2.1
Software Version
The Coruna kit contains five full iOS exploit chains, the most sophisticated leveraging non-public techniques and mitigation bypasses, for iOS versions 13.0 through 17.2.1 (released in December 2023).
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified.
On March 3, 2026, Google warned about a powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).
Metrics
infrastructure
​16.6
Software Version
It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
For newer iOS versions, patches associated with the Coruna exploit were already shipped in iOS 16.6 through 17.2 in updates released in 2023 and 2024.
Metrics
infrastructure
17
Ipados
It's worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023.
Metrics
infrastructure
​17.2
Software Version
For newer iOS versions, patches associated with the Coruna exploit were already shipped in iOS 16.6 through 17.2 in updates released in 2023 and 2024.
Metrics
infrastructure
​Android
Affected Product
Keep threats off your mobile devices by  downloading Malwarebytes for iOS , and Malwarebytes for Android today.
Intelligence Sources
BleepingComputer 2026-03-04
The Register - Cybercrime 2026-03-04
The Hacker News 2026-03-04
Malware Bytes 2026-03-12