The Rise of Coruna: A New Exploit Kit Targeting iOS Devices
In recent years, cybersecurity has become paramount, especially with the proliferation of sophisticated threat actors targeting mobile devices. One notable development in this realm has been the emergence of the exploit kit known as “Coruna.” Discovered by Google researchers, this exploit kit stands out due to its usage by three distinct hacking groups.
The Origins of Coruna
Google first identified Coruna’s operation in February 2025. This came during an attack executed by a “customer of a surveillance vendor.” The crucial vulnerability exploited, tracked as CVE-2025-23222, had been patched a staggering 13 months prior to the attack. In July of the same year, a suspected Russian espionage group leveraged another exploit, CVE-2023-43000, targeting websites frequented by Ukrainian nationals. By December, a financially motivated threat actor from China utilized Coruna again, allowing Google to retrieve the entire exploit kit.
Researchers have noted, “How this proliferation occurred is unclear, but suggests an active market for ‘secondhand’ zero-day exploits.” They emphasized that various threat actors have now acquired advanced exploitation techniques that can be reutilized and modified with newly identified vulnerabilities.
A Deep Dive into the Coruna Exploit Kit
Google’s investigators managed to retrieve all obfuscated exploits, including their payloads. A notable incident involved the deployment of the debug version of the exploit kit, which inadvertently left all exploits exposed, revealing their internal codenames. It is in this analysis that the name “Coruna” emerged. In total, researchers collected several hundred samples encapsulating five full iOS exploit chains, which can target a wide range of iPhone models operating on iOS versions from 13.0 (released in September 2019) to version 17.2.1 (launched in December 2023).
Identified Exploits within Coruna
The exploit kit comprises 23 distinct vulnerabilities, each categorized by type, codename, targeted versions, fixed versions, and their respective CVE references. Below is a brief overview:
| Type | Codename | Targeted versions | Fixed versions | CVE |
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | No CVE |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
CISA’s Response
The Cybersecurity and Infrastructure Security Agency (CISA) has taken note of Coruna, adding only three of the CVEs to its catalog:
- CVE-2021-30952: Apple Multiple Products Integer Overflow or Wraparound Vulnerability
- CVE-2023-41974: Apple iOS and iPadOS Use-After-Free Vulnerability
- CVE-2023-43000: Apple Multiple products Use-After-Free Vulnerability
CISA is urging agencies to “apply mitigations per vendor instructions, follow applicable… guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” They further caution that, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
For a deeper understanding and further details, you can read the full article here.
Image Credit: arstechnica.com
