Executive Summary
In early 2026, Google’s Threat Intelligence Group identified 'Coruna,' a sophisticated iOS exploit kit targeting devices running iOS versions 13.0 through 17.2.1. The kit comprises five full exploit chains utilizing 23 vulnerabilities, enabling attackers to execute remote code and escalate privileges. Initially observed in February 2025 within a surveillance vendor's operations, Coruna was subsequently employed by Russian espionage groups in mid-2025 and later by financially motivated Chinese cybercriminals by December 2025. The exploit kit facilitates the deployment of malware capable of exfiltrating sensitive data, including cryptocurrency wallets and personal information. (thehackernews.com)
The emergence of Coruna underscores a concerning trend where advanced cyber tools, potentially developed by nation-states, proliferate into the hands of various threat actors. This incident highlights the critical need for organizations and individuals to maintain up-to-date software and implement robust security measures to mitigate the risks posed by such sophisticated exploits. (techcrunch.com)
Why This Matters Now
The Coruna exploit kit's transition from state-sponsored entities to financially motivated cybercriminals exemplifies the rapid dissemination of advanced cyber tools across diverse threat actors. This trend amplifies the risk of widespread exploitation, emphasizing the urgency for organizations to enhance their cybersecurity defenses and for individuals to ensure their devices are updated to the latest software versions to protect against such sophisticated threats.
Attack Path Analysis
The Coruna exploit kit initiated attacks by embedding malicious JavaScript into compromised or fraudulent websites, leading to the exploitation of iOS vulnerabilities upon user visit. This allowed attackers to escalate privileges, gaining deeper access to the device's operating system. Subsequently, they moved laterally within the device to access sensitive applications and data. Established command and control channels enabled remote management and data exfiltration. Attackers then extracted sensitive information, including cryptocurrency wallet data, from the compromised devices. The impact included unauthorized access to personal data and potential financial losses for the victims.
Kill Chain Progression
Initial Compromise
Description
Users visiting compromised or fraudulent websites triggered the execution of malicious JavaScript, exploiting iOS vulnerabilities to gain initial access.
Related CVEs
CVE-2024-23222
CVSS 8.8A type confusion issue in WebKit allows processing of maliciously crafted web content, leading to arbitrary code execution.
Affected Products:
Apple iOS – < 17.3
Apple iPadOS – < 17.3
Apple macOS – < 14.3
Apple tvOS – < 17.3
Exploit Status:
exploited in the wildCVE-2022-48503
CVSS 8.8A use-after-free vulnerability in WebKit allows processing of maliciously crafted web content, leading to arbitrary code execution.
Affected Products:
Apple iOS – 15.2, 15.3, 15.4, 15.5
Apple iPadOS – 15.2, 15.3, 15.4, 15.5
Exploit Status:
exploited in the wildCVE-2023-43000
CVSS 8.8A use-after-free vulnerability in WebKit allows processing of maliciously crafted web content, leading to arbitrary code execution.
Affected Products:
Apple iOS – 16.2, 16.3, 16.4, 16.5, 16.5.1
Apple iPadOS – 16.2, 16.3, 16.4, 16.5, 16.5.1
Exploit Status:
exploited in the wildCVE-2023-32434
CVSS 7.8An integer overflow vulnerability in the kernel allows a malicious app to execute arbitrary code with kernel privileges.
Affected Products:
Apple iOS – 14.5, 14.6, 14.7, 14.8, 15.0, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6, 15.7, 15.7.1, 15.7.2, 15.7.3, 15.7.4, 15.7.5, 15.7.6
Apple iPadOS – 14.5, 14.6, 14.7, 14.8, 15.0, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6, 15.7, 15.7.1, 15.7.2, 15.7.3, 15.7.4, 15.7.5, 15.7.6
Exploit Status:
exploited in the wildCVE-2023-38606
CVSS 5.5A security vulnerability in Apple devices allows a malicious app to execute arbitrary code with kernel privileges.
Affected Products:
Apple iOS – 14.0, 14.1, 14.2, 14.3, 14.4, 14.5, 14.6, 14.7, 14.8
Apple iPadOS – 14.0, 14.1, 14.2, 14.3, 14.4, 14.5, 14.6, 14.7, 14.8
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Initial Access
Exploitation for Client Execution
Exploit OS Vulnerability
Exploit TEE Vulnerability
Drive-by Compromise
Keychain
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
iOS exploit kit targeting cryptocurrency wallets poses severe risk to mobile banking applications and financial data through sophisticated WebKit vulnerabilities and exfiltration capabilities.
Government Administration
Nation-state grade iOS exploits targeting government devices threaten sensitive communications and diplomatic operations, requiring immediate Lockdown Mode deployment and compliance upgrades.
Computer/Network Security
Coruna exploit kit demonstrates advanced mobile security bypass techniques affecting security vendors' iOS detection capabilities and requiring enhanced threat intelligence integration frameworks.
Telecommunications
Mass iOS exploitation campaign impacts mobile network operators through compromised user devices, threatening encrypted traffic integrity and requiring enhanced east-west traffic monitoring.
Sources
- Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.htmlVerified
- Coruna: Spy-grade iOS exploit kit powering financial crimehttps://www.helpnetsecurity.com/2026/03/03/coruna-ios-exploit-kit/Verified
- Kaspersky: No signs Coruna iPhone exploit kit made by UShttps://www.theregister.com/2026/03/04/kaspersky_dismisses_claims_that_coruna/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit vulnerabilities, move laterally, and exfiltrate sensitive data within cloud environments.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities through malicious web content would likely be constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely be constrained, limiting access to sensitive applications and data.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be restricted, reducing remote management capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be limited, reducing the risk of data loss.
The overall impact of unauthorized access and financial loss would likely be reduced, limiting the attacker's success.
Impact at a Glance
Affected Business Functions
- Mobile Device Security
- User Data Privacy
- Application Integrity
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data due to arbitrary code execution vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block known exploit patterns and malicious payloads.
- • Enforce zero trust segmentation to limit lateral movement within devices and networks.
- • Utilize egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance multicloud visibility and control to detect anomalous interactions and repeated malformed requests.
- • Regularly update devices and enable security features like Lockdown Mode to mitigate exploitation risks.
