GOOGLE has revealed a powerful iOS exploit kit named Coruna (also known as CryptoWaters) that targets iPhones running iOS 13.0 through 17.2.1, incorporating five full exploit chains and a total of 23 exploits, with the kit ineffective against the latest iOS release.
According to Google Threat Intelligence Group, the framework uses device and iOS version fingerprinting to load the appropriate WebKit RCE exploit and a PAC bypass, and at the end of the chain a PlasmaLoader stager injects into a root daemon to deploy a financially focused payload.
Initial discovery occurred in February 2025, when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer, with the exploits integrated into this framework via obfuscated code. The kit has been seen in Ukrainian watering hole campaigns by UNC6353 and later in broad-scale attacks by Chinese financial threat actor UNC6691, illustrating an active market for second-hand zero-days and reusable exploit modules. Google published IOCs and Yara rules to help defenders, while noting that multiple threat actors reuse and adapt the techniques for new vulnerabilities.