Modern mobile operating systems like Apple iOS rely on deep-in-kernel protections and sandboxing, making remote exploitation extremely difficult. Yet, threat actors continue to evolve sophisticated toolchains that chain multiple vulnerabilities together to achieve code execution, privilege escalation, and persistence.
In late 2025, Google’s Threat Intelligence Group (GTIG) uncovered and fully retrieved a previously unseen modular exploit kit targeting iPhones running iOS 13.0 through 17.2.1. This toolkit — internally named Coruna — is notable for combining multiple exploit chains with heavy obfuscation, multi-stage delivery logic, and post-exploitation payload capabilities.
What Is the Coruna Exploit Kit?
At its core, Coruna is a comprehensive exploit framework designed to compromise iOS devices via browser-based delivery. It was found embedded in malicious JavaScript frameworks on compromised websites and fake cryptocurrency or financial sites, hidden in iframe injections observable only during real device browsing sessions.
Key Characteristics
- Modular framework: Components load in stages depending on device fingerprinting results.
- Multi-chain exploits: Five exploit chains comprising 23 individual exploits covering iOS 13.0–17.2.1.
- Advanced obfuscation and delivery: JavaScript obfuscation, unique cookies, resource hashing, and custom protocols.
- Mitigation bypasses: Including PAC (Pointer Authentication Code) and sandbox escape techniques.
The kit integrates tightly with the WebKit rendering engine and uses device fingerprinting to select the appropriate exploit chain for the victim’s hardware and iOS version. It even checks for Apple’s “Lockdown Mode” and avoids infection when privacy protections are enabled.
Discovery Timeline of Coruna
The journey of Coruna through the threat landscape illustrates how sophisticated attack tooling moves between actors:
- Early Signals (Feb 2025): GTIG first observed fragments of an embedded iOS exploit in JavaScript from a commercial surveillance vendor’s toolkit.
- Regional Targeting: The same exploit framework was hosted on compromised Ukrainian sites, delivering WebKit RCE and PAC bypass exploits to select visitors. GTIG collaborated with CERT-UA to take down these assets.
- Mass Distribution via Chinese Scam Sites: Later in 2025, Coruna was widely deployed on fake financial and crypto sites targeting global audiences. GTIG recovered hundreds of samples covering complete exploit chains.
These observation points suggest Coruna moved from specialized targeted tools to more widespread use — potentially through underground exploit markets or shared tooling.
Technical Framework & Delivery Logic
Coruna is more than a set of vulnerabilities — it is an engineered exploitation ecosystem:
1. JavaScript Delivery Engine
- Fingerprints devices to avoid virtual machines or detection environments.
- Encodes strings and logic through obfuscated scripts.
- Dynamically selects the best exploit chain based on device and OS version.
2. Exploit Chains & Components
Each chain includes a series of exploit primitives, including Remote Code Execution (RCE), WebKit sandbox escapes, kernel privilege escalation, and pointer authentication bypass routines. Combined, they produce a full compromise from a single browsing session on a targeted page.
A sampling of exploit types:
- WebKit R/W memory exploits
- PAC bypass modules
- Sandbox escapes
- Kernel escalations
- Privilege bypass routines
Across these categories, developers assigned internal code names and documented many of the modules — a rare practice in exploit toolkits that aids GTIG’s reverse engineering.
Post-Exploitation Payload — PlasmaLoader
After exploiting the target, Coruna delivers a payload dubbed PlasmaLoader:
- Injects into powerd, a root-level process on iOS.
- Designed not as pure surveillance software but to harvest financial information, wallet data, and sensitive text like crypto backup phrases.
- Loads additional modules from attacker servers with domain generation logic.
This final component shows that Coruna is tailored for value extraction rather than only espionage — a troubling shift towards financially motivated high-impact attacks.
Mitigations & Recommendations
While Coruna is not effective against the latest versions of iOS, the following strategies increase resilience:
- Update iOS regularly: Running the latest iOS version protects against many exploit chains.
- Enable Lockdown Mode: Significantly hampers silent exploit delivery.
- Avoid suspicious sites and crypto scams: Many delivery mechanisms use fraudulent web fronts to lure victims.
GTIG has also added indicators of compromise to services like Google Safe Browsing to protect users from known malicious domains.
Summary
The Coruna exploit kit represents one of the most comprehensive and modular iOS exploitation toolchains observed in recent years — combining multiple zero-day exploits, sophisticated automation, and financially focused post-exploitation payloads. Its trajectory from targeted regional use to widespread deployment demonstrates how complex exploit ecosystems can migrate through different actor communities.
Staying informed and patched is mission-critical for defenders and device owners alike. Updating devices and following platform security guidance remain the most effective defenses against toolkits like Coruna.
