Coruna iOS Exploit Kit Uses 23 Exploits Across Five

What Happened

A previously undocumented and sophisticated exploit kit, dubbed “Coruna” or “CryptoWaters,” has been identified in active attacks against Apple iOS. According to intelligence from Google, the kit comprises 23 distinct exploits organized into five separate exploitation chains. These chains are designed to compromise iPhones running iOS versions 13.0 through 17.2.1. Initially observed in targeted espionage campaigns, the toolkit has now been adopted by multiple threat actors for financially motivated attacks, including cryptocurrency theft.

Why It Matters

The Coruna kit represents a significant escalation in mobile threat sophistication. Its transition from espionage-grade tooling to broader criminal use lowers the barrier to entry for financially motivated attackers, increasing the potential victim pool. For organizations, this underscores the risk of mobile devices as enterprise endpoints, especially with the rise of bring-your-own-device (BYOD) policies. The kit’s ability to target a wide range of iOS versions, including recent ones, challenges the perception of iOS as a inherently secure platform and highlights the need for continuous patch management and threat monitoring beyond traditional desktop environments.

Technical Details

The exploit kit’s power lies in its modularity and depth. The five exploitation chains likely represent different entry vectors and privilege escalation paths, potentially combining vulnerabilities in WebKit (the browser engine), the iOS kernel, and other system components to achieve full device compromise. While no specific CVEs are publicly attributed, the broad version targeting suggests the chains incorporate a mix of known, patched vulnerabilities and potentially zero-day exploits for newer versions. The final payloads can include advanced spyware for data exfiltration or modules designed to hijack cryptocurrency transactions and wallets.

Immediate Risk

The immediate risk is assessed as MEDIUM. The threat is currently targeted rather than broadly indiscriminate, which limits widespread impact. However, the confirmed use by multiple actors in active financial theft campaigns indicates a tangible and growing threat. Users on iOS versions below 17.2.1, particularly those engaged with cryptocurrency applications or who may be targeted for espionage, are at elevated risk. Organizations with employees using iPhones to access corporate data or services within the affected version range should consider their exposure.

Security Insight

This activity reinforces that all software ecosystems, including iOS, are persistent targets. Defenders must extend their security posture to comprehensively include mobile devices. Critical actions include enforcing immediate updates to iOS 17.3 or later, as these versions are outside the known targeting range and may patch exploited vulnerabilities. Security teams should also monitor for suspicious network traffic or application behavior originating from mobile devices and consider application allow-listing and robust mobile device management (MDM) policies to limit the impact of a potential compromise.