Google’s Threat Intelligence Group (GTIG) reported on Coruna, a commercial/spy-grade iOS exploit kit that has circulated among multiple threat actors and shifted use cases over time—from a surveillance customer to suspected state-linked watering-hole activity and later to financially motivated abuse. GTIG assessed Coruna includes five full iOS exploit chains comprising 23 exploits, mixing CVE-tracked vulnerabilities with additional flaws that were not assigned CVEs (with CVE mapping potentially subject to revision as analysis continues). The exploit chains target iOS via ordinary web content, leveraging WebKit memory-corruption and related browser subsystem weaknesses to achieve capabilities such as remote code execution and sandbox escape.
Reporting highlighted that Coruna’s exploit set largely relies on older issues that are likely patched on current devices, but the kit was assessed as capable (with varying reliability) of targeting iPhone models across a wide range of versions, from iOS 13.0 through iOS 17.2.1. Publicly referenced CVEs associated with Coruna include CVE-2024-23222, CVE-2022-48503 (later added to CISA’s KEV), CVE-2023-43000, and multiple WebKit/privilege escalation bugs used as zero-days in prior campaigns (e.g., CVE-2023-38606, CVE-2023-32434, CVE-2023-32409). Mandiant/Google also published a set of URLs observed delivering Coruna landing pages (e.g., paths like /group.html and /static/analytics.html across numerous domains), intended to support detection and threat hunting.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
13 events from the most recent confirmed update back to the earliest known activity.
Kaspersky reported that Coruna’s kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the exploit used in Operation Triangulation. The company also identified four additional kernel exploits and said Coruna is a unified modular exploitation framework rather than a loose collection of exploits.
Apple released iOS/iPadOS 15.8.7 and 16.7.15 for older devices, backporting fixes for multiple vulnerabilities associated with Coruna, including CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010. The update extended protections to devices that cannot run the latest iOS versions.
TechCrunch reported that multiple sources and former employees linked Coruna to L3Harris's Trenchant division, suggesting the toolkit was originally developed for a U.S. government or allied intelligence customer. The reporting also pointed to former Trenchant manager Peter Williams as a possible leakage path through sales to Russian exploit broker Operation Zero.
On 2026-03-05, four of five known PLASMAGRID/Coruna DGA command-and-control domains were placed on serverHold, disrupting part of the kit's infrastructure. Breakglass assessed the timing alongside CISA's KEV action as evidence of a coordinated takedown, while one primary domain remained active and may have been left for monitoring.
Validin reported additional suspected Coruna/PLASMAGRID infrastructure, including more than 200 similar delivery domains seen in the prior week and 27 hosts still serving malicious iframe content. The analysis connected known Coruna indicators to newly registered Iran-themed lure domains, suggesting ongoing reuse.
CISA added CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 to its Known Exploited Vulnerabilities catalog after reporting tied them to Coruna exploitation. The agency ordered U.S. federal civilian agencies to remediate by March 26, 2026.
Kaspersky publicly rejected suggestions that Coruna was developed by the same authors behind the 2023 Operation Triangulation campaign. The company said overlap in exploited CVEs was not enough to support attribution or code-reuse claims.
On March 3, 2026, Google Threat Intelligence Group and iVerify publicly disclosed Coruna, describing five iOS exploit chains with 23 exploits and releasing technical indicators and detection guidance. Google also said it added identified domains to Safe Browsing.
By December 2025, Google linked Coruna to UNC6691, a financially motivated China-based actor using fake Chinese gambling and cryptocurrency sites to infect victims. The campaign delivered wallet-stealing malware aimed at cryptocurrency theft.
In July 2025, Google observed suspected Russian espionage actor UNC6353 using Coruna in watering-hole attacks via compromised Ukrainian websites. The activity targeted iPhone users through hidden iframe-based exploit delivery.
Google Threat Intelligence Group first saw parts of the Coruna framework in February 2025 during a highly targeted intrusion attributed to a customer of a commercial surveillance vendor. This marks the earliest reported operational use of the exploit kit.
Apple patched CVE-2024-23222 in iOS 17.3, a JavaScriptCore/WebKit-related issue later reported as part of Coruna's exploit arsenal. Google later said Coruna was ineffective against the latest iOS releases.
Apple originally shipped a fix for WebKit flaw CVE-2023-43010 in iOS 17.2, later identified as one of the vulnerabilities used in Coruna exploit chains. This established that at least part of the toolkit relied on already-patched bugs.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
33 references tracked. Mallory keeps watching after this page renders.
schneier.com
Open sourceintel.breakglass.tech
Open sourcesecurityaffairs.com
Open sourcethehackernews.com
Open sourcego.theregister.com
Open sourcedatabreaches.net
Open sourcecloud.google.com
Open sourcehelpnetsecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.