Coruna iOS Exploit Kit Unleashes 23 Vulnerabilities Across Five Chains Targeting iOS 13-17.2.1 Devices

Coruna Exploit Kit Targets Apple iPhone Devices

A sophisticated exploit kit, known as Coruna, has been identified by Google’s Threat Intelligence Group (GTIG) as targeting Apple iPhone devices running iOS versions between 13.0 and 17.2.1.

Technical Capabilities

According to GTIG, the Coruna exploit kit is not effective against the latest version of iOS. The kit’s technical capabilities lie in its comprehensive collection of iOS exploits, including non-public exploitation techniques and mitigation bypasses.

History of the Exploit Kit

The Coruna exploit kit has been circulating among multiple threat actors since February 2025, initially used by a commercial surveillance operation, then by a government-backed attacker, and finally by a financially motivated threat actor operating from China by December.

Similarities to Previous Frameworks

The mobile security vendor, iVerify, noted that the Coruna exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.

Discovery and Detection

The Coruna exploit kit was first identified by Google in early 2025, when parts of an iOS exploit chain used by a customer of an unnamed surveillance company were captured.

In July 2025, the same JavaScript framework was detected on the domain “cdn.uacounter[.]com,” which was loaded as a hidden iFrame on compromised Ukrainian websites.

The Coruna exploit kit was again detected in December 2025, when a cluster of fake Chinese websites, most related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience.

Exploits and Targets

A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified.

• Neutron – CVE-2020-27932 (versions 13.x)
• Dynamo – CVE-2020-27950 (versions 13.x)
• buffout – CVE-2021-30952 (versions 13-15.1.1)
• jacurutu – CVE-2022-48503 (versions 15.2-15.5)
• IronLoader – CVE-2023-32409 (versions 16.0-16.3.1)
• Photon – CVE-2023-32434 (versions 14.5-15.7.6)
• Gallium – CVE-2023-38606 (versions 14.x)
• Parallax – CVE-2023-41974 (versions 16.4-16.7)
• terrorbird – CVE-2023-43000 (versions 16.2-16.5.1)
• cassowary – CVE-2024-23222 (versions 16.6-17.2.1)
• Sparrow – CVE-2024-23225 (versions 17.0-17.3)
• Rocket – CVE-2024-23296 (versions 17.1-17.4)

Countermeasures

To counter the threat, iPhone users are advised to keep their devices up to date and enable Lockdown Mode for enhanced security.

About Author

Vaibhav

See author's posts