GOOGLE Threat Intelligence Group (GTIG) has described Coruna, also known as CryptoWaters, as a powerful iOS exploit kit targeting Apple devices running iOS 13.0 to 17.2.1, with five full exploit chains and a total of 23 exploits. The framework fingerprinted devices to tailor which WebKit remote code execution (RCE) exploit to load and then attempts a PAC bypass, including the CVE-2024-23222 WebKit type-confusion flaw.
GTIG notes that Coruna is not effective against the latest iOS versions, and it has circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed actor, and then to a financially motivated actor operating from China by December.
In July 2025, the same JavaScript framework appeared on the domain cdn.uacounter[.]com loaded as a hidden iFrame on compromised Ukrainian sites, with UNC6353 suspected of involvement, while a December 2025 cluster tracked as UNC6691 was also observed delivering the kit.
The campaign drops a five-chain, 23-exploit suite that includes CVEs such as CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, and researchers note that some of these exploits were reused as part of prior operations, with impersonation and a domain-generation approach observed for C2. iPhone users are advised to keep devices updated and enable Lockdown Mode to mitigate the threat.