Executive Summary
In 2025, the Coruna exploit kit emerged as a sophisticated tool targeting iPhones running iOS versions 13.0 through 17.2.1. Initially observed in February 2025, it was used by a surveillance vendor's client, later appearing in attacks by Russian espionage groups against Ukrainian users, and subsequently by financially motivated Chinese hackers. Coruna comprises five full iOS exploit chains leveraging 23 vulnerabilities, including CVE-2023-32434 and CVE-2023-38606, previously exploited in Operation Triangulation. The kit's evolution suggests a continuous development from earlier frameworks, now capable of compromising modern hardware, including Apple's A17 and M3 chips. (helpnetsecurity.com)
The proliferation of Coruna underscores the escalating risk of advanced exploit kits transitioning from state-sponsored espionage to widespread cybercrime. This trend highlights the urgent need for organizations to implement robust security measures, including timely software updates and advanced threat detection systems, to mitigate the risks posed by such sophisticated tools.
Why This Matters Now
The Coruna exploit kit's transition from targeted espionage to widespread cybercrime exemplifies the rapid dissemination of advanced hacking tools. Organizations must prioritize updating their security protocols and systems to defend against these evolving threats.
Attack Path Analysis
The Coruna exploit kit initiates the attack via a malicious iMessage, leading to remote code execution and privilege escalation through kernel exploits. The malware then moves laterally within the device, establishes command and control channels, exfiltrates sensitive data, and ultimately impacts the device's integrity and user privacy.
Kill Chain Progression
Initial Compromise
Description
The attack begins with a zero-click iMessage exploit that delivers a malicious payload to the target device.
Related CVEs
CVE-2023-32434
CVSS 7.8An integer overflow vulnerability in Apple products allows an app to execute arbitrary code with kernel privileges.
Affected Products:
Apple iOS – < 15.7.7, 16.0 - 16.5.1
Apple iPadOS – < 15.7.7, 16.0 - 16.5.1
Apple macOS – 11.0 - 11.7.8, 12.0.0 - 12.6.7, 13.0 - 13.4.1
Apple watchOS – < 8.8.1, 9.0 - 9.5.2
Exploit Status:
exploited in the wildReferences:
https://support.apple.com/en-us/HT213808https://support.apple.com/en-us/HT213809https://support.apple.com/en-us/HT213810https://support.apple.com/en-us/HT213811https://support.apple.com/en-us/HT213812https://support.apple.com/en-us/HT213813https://support.apple.com/en-us/HT213814https://support.apple.com/kb/HT213990https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32434CVE-2023-38606
CVSS 5.5A vulnerability in Apple products allows an app to modify sensitive kernel state.
Affected Products:
Apple iOS – < 15.7.8, 16.0 - 16.6
Apple iPadOS – < 15.7.8, 16.0 - 16.6
Apple macOS – 11.0 - 11.7.9, 12.0.0 - 12.6.8, 13.0 - 13.5
Apple tvOS – < 16.6
Exploit Status:
exploited in the wildReferences:
https://support.apple.com/en-us/HT213841https://support.apple.com/en-us/HT213842https://support.apple.com/en-us/HT213843https://support.apple.com/en-us/HT213844https://support.apple.com/en-us/HT213845https://support.apple.com/en-us/HT213846https://support.apple.com/en-us/HT213848https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38606
MITRE ATT&CK® Techniques
Exploitation for Initial Access
Exploitation for Client Execution
Exploitation for Privilege Escalation
Obfuscated Files or Information
Capture Audio
Input Capture
Location Tracking
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
iOS exploit framework targeting mobile devices threatens cryptocurrency theft and financial espionage, requiring enhanced mobile security and egress filtering controls.
Government Administration
Sophisticated zero-click iOS spyware exploits pose critical espionage risks to government officials, demanding immediate patching and mobile device security protocols.
Defense/Space
Advanced persistent threat using undocumented hardware features creates severe national security risks through mobile device compromise and data exfiltration.
Information Technology/IT
Multi-stage iOS exploit framework leveraging 23 vulnerabilities exposes IT infrastructure to lateral movement and requires comprehensive mobile endpoint protection strategies.
Sources
- Coruna iOS exploit framework linked to Triangulation attackshttps://www.bleepingcomputer.com/news/security/coruna-ios-exploit-framework-linked-to-triangulation-attacks/Verified
- Spyware-grade Coruna iOS exploit kit now used in crypto theft attackshttps://www.bleepingcomputer.com/news/security/spyware-grade-coruna-ios-exploit-kit-now-used-in-crypto-theft-attacks/Verified
- CISA warns feds to patch iOS flaws exploited in crypto-theft attackshttps://www.bleepingcomputer.com/news/security/cisa-warns-of-apple-flaws-exploited-in-spyware-crypto-theft-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it embeds security directly into the cloud infrastructure, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF primarily secures cloud workloads, its principles of embedded security could inspire similar protections in device communications, potentially reducing the success rate of such exploits.
Control: Zero Trust Segmentation
Mitigation: Applying Zero Trust principles could limit the scope of privilege escalation by enforcing strict access controls, potentially reducing the attacker's ability to gain elevated privileges.
Control: East-West Traffic Security
Mitigation: Enforcing east-west traffic security could limit the malware's ability to move laterally within the device, potentially reducing access to sensitive subsystems and data.
Control: Multicloud Visibility & Control
Mitigation: Enhanced visibility and control over network communications could limit the establishment of unauthorized command and control channels, potentially reducing remote control capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: Enforcing strict egress policies could limit unauthorized data exfiltration, potentially reducing the amount of sensitive information transmitted to external servers.
By constraining earlier stages of the attack, the overall impact on user privacy and device integrity could be limited, potentially reducing the risk of further exploitation or surveillance.
Impact at a Glance
Affected Business Functions
- Mobile Device Security
- Data Privacy Compliance
- Financial Transactions
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data due to device compromise.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within devices and limit access to sensitive subsystems.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual device behaviors indicative of compromise.
- • Ensure regular updates and patch management to mitigate known vulnerabilities exploited by such malware.
- • Educate users on the risks of zero-click exploits and the importance of maintaining device security settings.
