20260304-thehackernews.com-6d76f | Perceptive Security

< Back to index

Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1

Published:

4 March 2026 at 13:28:00

Alert date:

4 March 2026 at 15:01:36

Source:

thehackernews.com

Mobile & IoT, Zero-Day Vulnerabilities, Ransomware & Malware

Google Threat Intelligence Group identified a new and powerful exploit kit called Coruna (aka CryptoWaters) targeting Apple iPhone models. The kit targets iOS versions between 13.0 and 17.2.1 using five full iOS exploit chains containing a total of 23 exploits. The exploit kit is not effective against the latest version of iOS. This represents a significant threat to older iOS devices with comprehensive exploit capabilities across multiple iOS versions.

Technical details

Coruna (aka CryptoWaters) is a sophisticated iOS exploit kit featuring five full iOS exploit chains and 23 exploits targeting iOS versions 13.0 to 17.2.1. The framework uses JavaScript to fingerprint devices, determine authenticity, and gather device details including iPhone model and iOS version. It then loads appropriate WebKit remote code execution exploits based on fingerprint data and executes pointer authentication code (PAC) bypasses. The kit includes reusable modules for vulnerability exploitation and uses non-public exploitation techniques and mitigation bypasses. It can deliver PlasmaLoader (PLASMAGRID) stager binary that decodes QR codes from images and runs additional modules to exfiltrate cryptocurrency wallets and sensitive information from apps. The implant uses a domain generation algorithm with 'lazarus' as seed to generate predictable 15-character domains with .xyz TLD and uses Google's public DNS resolver for validation.

Mitigation steps:

Keep iPhone and iPad devices up to date with latest iOS/iPadOS versions
Enable Lockdown Mode for enhanced security
Use private browsing mode when possible (exploit skips execution in private browsing)
Be cautious of websites requesting to visit from iPhone/iPad for 'better user experience'
Monitor for suspicious hidden iFrame injections on websites

Affected products:

Apple iPhone (iOS 13.0 - 17.2.1)
Apple iPad (iPadOS versions corresponding to iOS 13.0 - 17.2.1)
WebKit browser engine
Base cryptocurrency wallet
Bitget Wallet
Exodus cryptocurrency wallet
MetaMask cryptocurrency wallet

Related links:

Related CVE's:

Related threat actors:

UNC6353

U.S. National Security Agency (alleged)

UNC6691

Commercial surveillance vendors

Government-backed attackers

Chinese financially motivated threat actors

Russian espionage groups

IOC's:

cdn.uacounter[.]com, Compromised Ukrainian websites (industrial equipment, retail tools, local services, e-commerce), Fake Chinese websites related to finance, PlasmaLoader (PLASMAGRID) stager binary, Domain generation algorithm using 'lazarus' seed, 15-character domains with .xyz TLD, Hidden iFrame injections

This article was created with the assistance of AI technology by Perceptive.