Executive Summary
In early 2026, security researchers uncovered the 'Coruna' exploit kit, a sophisticated suite of hacking tools capable of compromising iPhones running older iOS versions. Initially identified in February 2025 during a surveillance vendor's attempt to deploy spyware on behalf of a government client, Coruna was later observed in attacks targeting Ukrainian users by a Russian espionage group and subsequently by financially motivated hackers in China. The exploit kit chains together multiple vulnerabilities, allowing attackers to bypass iOS defenses and gain full control over targeted devices. (techcrunch.com)
The proliferation of Coruna underscores the risks associated with the leakage of advanced cyber tools originally developed for government use. Similar to the EternalBlue exploit that fueled the WannaCry and NotPetya attacks in 2017, Coruna's widespread availability has enabled various threat actors to conduct mass-scale attacks on iOS devices, affecting at least 42,000 devices to date.
Why This Matters Now
The emergence of Coruna highlights the urgent need for robust cybersecurity measures and timely software updates. Organizations and individuals must prioritize patching vulnerabilities and implementing comprehensive security protocols to mitigate the risks posed by such advanced exploit kits.
Attack Path Analysis
The Coruna exploit kit initiated attacks by compromising iOS devices through malicious websites, leading to privilege escalation via chained vulnerabilities. Attackers then moved laterally within the device, established command and control channels, exfiltrated sensitive data, and caused significant impact by deploying financial theft malware.
Kill Chain Progression
Initial Compromise
Description
Users visiting malicious websites were targeted by the Coruna exploit kit, which leveraged multiple vulnerabilities to gain initial access to iOS devices.
Related CVEs
CVE-2024-23222
CVSS 8.8A WebKit vulnerability that allows arbitrary code execution when processing maliciously crafted web content.
Affected Products:
Apple iOS – < 17.3
Exploit Status:
exploited in the wildCVE-2022-48503
CVSS 8.8A WebKit vulnerability that allows arbitrary code execution when processing maliciously crafted web content.
Affected Products:
Apple iOS – < 15.6
Exploit Status:
exploited in the wildCVE-2023-43000
CVSS 8.8A use-after-free vulnerability in WebKit that allows arbitrary code execution when processing maliciously crafted web content.
Affected Products:
Apple iOS – < 16.6
Exploit Status:
exploited in the wildCVE-2023-38606
CVSS 5.5A kernel vulnerability that allows an attacker to bypass hardware-based memory protections.
Affected Products:
Apple iOS – < 16.6
Exploit Status:
exploited in the wildCVE-2023-32434
CVSS 7.8An integer overflow vulnerability in the kernel that allows arbitrary code execution with kernel privileges.
Affected Products:
Apple iOS – < 16.5.1
Exploit Status:
exploited in the wildCVE-2023-32409
CVSS 8.6A WebKit vulnerability that allows arbitrary code execution when processing maliciously crafted web content.
Affected Products:
Apple iOS – < 16.5
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Initial Access
Exploitation for Client Execution
Exploit OS Vulnerability
Drive-by Compromise
URL Scheme Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Zero-day iOS exploits linked to leaked U.S. government framework create severe operational security risks for government mobile communications and classified data protection.
Defense/Space
Mass-scale iOS attacks using sophisticated U.S.-origin exploit kit threaten defense contractor mobile security, requiring immediate segmentation and encrypted traffic monitoring capabilities.
Computer/Network Security
Proliferation of advanced zero-day exploits in cybercriminal markets demonstrates urgent need for enhanced threat detection, anomaly response, and egress security enforcement.
Financial Services
iOS zero-day exploit kit targeting 42,000+ devices poses critical mobile banking security risks, demanding strengthened multicloud visibility and data exfiltration prevention measures.
Sources
- Possible U.S.-developed exploits linked to first known ‘mass’ iOS attackhttps://cyberscoop.com/coruna-ios-exploit-kit-leaked-us-framework/Verified
- Coruna: Spy-grade iOS exploit kit powering financial crimehttps://www.helpnetsecurity.com/2026/03/03/coruna-ios-exploit-kit/Verified
- Kaspersky discloses iPhone hardware feature vital in Operation Triangulation casehttps://www.kaspersky.com/about/press-releases/kaspersky-discloses-iphone-hardware-feature-vital-in-operation-triangulation-caseVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data within cloud environments.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may not directly prevent the initial compromise of iOS devices through malicious websites.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges within cloud workloads by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely restrict lateral movement within cloud workloads by monitoring and controlling internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control may detect and limit unauthorized command and control communications within cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit data exfiltration attempts from cloud workloads by enforcing strict outbound traffic policies.
While CNSF controls may reduce the attacker's ability to escalate privileges, move laterally, and exfiltrate data within cloud environments, they may not directly prevent the financial impact resulting from compromised user devices.
Impact at a Glance
Affected Business Functions
- Mobile Device Security
- User Data Protection
- Application Integrity
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive user data including personal information, messages, and credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Inline IPS (Suricata) to detect and prevent exploitation attempts by identifying known exploit patterns and malicious payloads.
- • Deploy Zero Trust Segmentation to enforce least privilege access and limit lateral movement within devices and networks.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual behaviors indicative of compromise.
- • Ensure Multicloud Visibility & Control to maintain comprehensive oversight of network traffic and detect anomalous interactions across cloud environments.
