Google Uncovers Powerful ‘Coruna’ iOS Exploit Kit Targeting Four Years of iPhones

Cybersecurity researchers at Google have discovered a sophisticated exploit kit called Coruna that weaponizes 23 separate exploits to compromise iPhones running iOS versions 13.0 through 17.2.1, affecting nearly four years’ worth of Apple devices.

Massive Scope of Attack

The Google Threat Intelligence Group (GTIG) described Coruna—also known as CryptoWaters—as a “new and powerful” threat that represents one of the most comprehensive iOS exploit collections ever documented. The kit targets a remarkably broad range of iOS versions, from the 2019 release of iOS 13 up to iOS 17.2.1, which shipped in early 2024.

Unlike typical exploit kits that focus on single vulnerabilities, Coruna employs five complete exploit chains, each containing multiple linked exploits designed to systematically break through iOS security layers. This multi-chain approach significantly increases the kit’s success rate against different device configurations and iOS versions.

Technical Arsenal

Each exploit chain within Coruna targets specific components of iOS security architecture:

Kernel exploits that gain elevated system privileges by exploiting flaws in the iOS kernel, the core component managing system resources and security.

Safari browser exploits that leverage vulnerabilities in Apple’s WebKit engine to achieve initial code execution when victims visit malicious websites.

Sandbox escape techniques designed to break out of iOS’s restrictive app sandboxing system, which normally prevents malicious code from accessing sensitive data or system functions.

The 23 individual exploits work in coordination, with each chain serving as a backup method when others fail. This redundancy makes Coruna exceptionally reliable across different target environments.

Attack Methodology

GTIG researchers believe Coruna operates primarily through watering hole attacks—a technique where attacke