Security researchers have identified a powerful exploit framework targeting Apple iPhones running older versions of the iOS operating system.
The toolkit, called Coruna and also known as CryptoWaters, includes multiple exploit chains capable of targeting devices running iOS versions from 13.0 through 17.2.1, according to researchers from Google’s Threat Intelligence Group.
The framework contains five full exploit chains and a total of 23 vulnerabilities. Researchers said the exploit kit is not effective against the most recent versions of iOS.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non public exploitation techniques and mitigation bypasses,” Google researchers said.
They added that the infrastructure supporting the kit is carefully designed and integrates several exploit components into a unified framework.
“The framework surrounding the exploit kit is extremely well engineered. The exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.”
According to researchers, the exploit kit has circulated among several types of threat actors since early 2025.
The toolkit first appeared in a commercial surveillance operation before being used by a government backed attacker.
By late 2025, it had reached a financially motivated threat group operating from China.
Investigators say the movement of the exploit kit between groups suggests a growing underground market where previously developed zero day tools are resold and reused.
Security firm iVerify said the spread of Coruna demonstrates how advanced surveillance tools can move beyond their original operators.
“Coruna is one of the most significant examples we’ve observed of sophisticated spyware grade capabilities proliferating from commercial surveillance vendors into the hands of nation state actors and ultimately mass scale criminal operations,” the company said.
Researchers first detected elements of the exploit chain in early 2025 when a surveillance customer used it within a JavaScript framework that had not been previously documented.
The framework gathers information about the targeted device including the model and the iOS version running on it.
Based on this fingerprinting data, the framework delivers a suitable WebKit remote code execution exploit.
One of the vulnerabilities used in the chain was CVE-2024-23222, a type confusion flaw in Apple’s WebKit browser engine that was patched in January 2024.
The framework appeared again in July 2025 when it was discovered on a domain used to deliver malicious content through hidden iframes on compromised websites in Ukraine.
These sites included pages related to industrial tools, retail services and e commerce platforms.
Researchers believe a suspected Russian espionage group tracked as UNC6353 was responsible for that activity. The exploit framework was delivered only to certain users based on their geographic location and device characteristics.
A third wave of activity was identified in December 2025. In that campaign, attackers used a network of fake Chinese websites related to financial topics to distribute the exploit kit.
Visitors were encouraged to access the sites from iPhones or iPads for a better browsing experience.
Once accessed from an Apple device, the websites inserted a hidden iframe that triggered the Coruna exploit kit. This campaign has been linked to a threat cluster tracked as UNC6691.
Further investigation uncovered a debug version of the exploit kit along with several exploit samples spanning five complete attack chains.
Researchers said the kit includes vulnerabilities affecting several generations of iOS. These include exploits targeting iOS 13 through iOS 17.2.1 using vulnerabilities such as CVE-2020-27932, CVE-2022-48503, CVE-2023-32409 and CVE-2024-23222.
Some of the vulnerabilities in the toolkit had previously been used as zero day exploits in earlier operations.
“Photon and Gallium are exploiting vulnerabilities that were also used as zero days as part of Operation Triangulation,” Google researchers said.
Once a device is compromised, attackers can deploy additional malware components. In the case of the UNC6691 campaign, the exploit chain delivered a stager called PlasmaLoader.
The program is designed to decode QR codes embedded in images and retrieve additional modules from external servers.
These modules can then collect sensitive data from cryptocurrency wallet applications including Base, Bitget Wallet, Exodus and MetaMask.
Researchers said the malware contains hard coded command and control servers along with a fallback system that generates domain names automatically using a domain generation algorithm seeded with the word lazarus.
A notable characteristic of the Coruna exploit kit is that it avoids running on devices using Apple’s Lockdown Mode or devices browsing in private mode.
Security researchers recommend that iPhone users update their devices to the latest version of iOS and enable Lockdown Mode when additional protection is needed.
