Google has uncovered a sophisticated exploit kit named Coruna that targeted iPhones running versions 13.0 through 17.2.1 using a series of advanced security bypasses. The kit transitioned from commercial surveillance groups to state-sponsored actors and eventually to cybercriminals, marking a rare instance of elite-grade spyware being used for mass exploitation.
Google Threat Intelligence Group identified Coruna as a highly engineered framework containing 23 individual exploits and five complete exploit chains. While the toolkit is ineffective against the most recent iOS updates, its technical depth is notable for using non-public techniques and seamless integration across its various components. Security researchers first observed the kit in early 2025, noting that it represents a significant leap in the technical capabilities available to a wide range of threat actors.
The kit's journey through different hands highlights a growing secondary market for zero-day vulnerabilities. It initially appeared within commercial surveillance operations before being adopted by government-linked groups and finally landing with financially motivated attackers based in China. This migration suggests that once-exclusive cyber weapons are now being recycled and sold, allowing less sophisticated groups to launch high-level attacks against Apple users.
Technical analysis of the framework shows it begins by using a JavaScript-based system to fingerprint a target device. By verifying the specific iPhone model and software version, the kit ensures it only deploys the most effective code for that specific hardware. This precision allows it to bypass modern security features like pointer authentication codes, which are designed to prevent the unauthorized execution of commands.
A critical part of the attack chain involves a type confusion vulnerability in WebKit, the engine that powers the Safari browser. By exploiting this flaw, attackers could achieve remote code execution on a device simply by having the user visit a malicious website. Although Apple released patches for these specific vulnerabilities in early 2024, the Coruna kit remained effective against any users who had not yet updated their devices to iOS 17.3 or later.
Security experts at iVerify noted that Coruna shares structural similarities with older frameworks linked to Western government operations, suggesting a long lineage of development. Its shift from highly targeted surveillance to broad, mass-scale deployment signals a dangerous trend in mobile security. The discovery underscores the vital importance of rapid software updates, as even the most complex exploit chains eventually lose their power once a patch is widely adopted.
Source: Coruna iOS Exploit Kit Uses 23 Bugs Across Chains Targeting iOS 13–17.2.1