ACCORDING to Google Threat Intelligence Group, a new and powerful exploit kit named Coruna targets Apple iPhone models running iOS 13.0 (released in September 2019) up to 17.2.1 (released in December 2023). The kit contained five full iOS exploit chains and a total of 23 exploits, with its core value lying in a comprehensive collection of exploits and the most advanced ones using non-public techniques and mitigation bypasses.
Over 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor, then in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group; it was later used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China.
How proliferation occurred remains unclear, but the report suggests an active market for “second hand” zero-day exploits and that multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities. Read more at GTIG, but check your iOS version and ensure you are up-to-date.