Google Threat Intelligence Group, earlier this week:
Google Threat Intelligence Group (GTIG) has identified a new and
powerful exploit kit targeting Apple iPhone models running iOS
version 13.0 (released in September 2019) up to version 17.2.1
(released in December 2023). The exploit kit, named “Coruna” by
its developers, contained five full iOS exploit chains and a total
of 23 exploits. The core technical value of this exploit kit lies
in its comprehensive collection of iOS exploits, with the most
advanced ones using non-public exploitation techniques and
mitigation bypasses.The Coruna exploit kit provides another example of how
sophisticated capabilities proliferate. Over the course of
2025, GTIG tracked its use in highly targeted operations initially
conducted by a customer of a surveillance vendor, then
observed its deployment in watering hole attacks targeting
Ukrainian users by UNC6353, a suspected Russian espionage group.
We then retrieved the complete exploit kit when it was later used
in broad-scale campaigns by UNC6691, a financially motivated
threat actor operating from China. How this proliferation occurred
is unclear, but suggests an active market for “second hand”
zero-day exploits. Beyond these identified exploits, multiple
threat actors have now acquired advanced exploitation techniques
that can be re-used and modified with newly identified
vulnerabilities.
