Security researchers have identified a powerful exploit framework targeting Apple iPhones running older versions of the iOS operating system.
The toolkit, called Coruna and also known as CryptoWaters, includes multiple exploit chains capable of targeting devices running iOS versions from 13.0 through 17.2.1, according to researchers from Google’s Threat Intelligence Group.
The framework contains five full exploit chains and a total of 23 vulnerabilities. Researchers said the exploit kit is not effective against the most recent versions of iOS.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non public exploitation techniques and mitigation bypasses,” Google researchers said.
They added that the infrastructure supporting the kit is carefully designed and integrates several exploit components into a unified framework.
“The framework surrounding the exploit kit is extremely well engineered. The exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.”
According to researchers, the exploit kit has circulated among several types of threat actors since early 2025.
The toolkit first appeared in a commercial surveillance operation before being used by a government backed attacker.
By late 2025, it had reached a financially motivated threat group operating from China.
Investigators say the movement of the exploit kit between groups suggests a growing underground market where previously developed zero day tools are resold and reused.
Security firm iVerify said the spread of Coruna demonstrates how advanced surveillance tools can move beyond their original operators.
“Coruna is one of the most significant examples we’ve observed of sophisticated spyware grade capabilities proliferating from commercial surveillance vendors into the hands of nation state actors and ultimately mass scale criminal operations,” the company said.
Researchers first detected elements of the exploit chain in early 2025 when a surveillance customer used it within a JavaScript framework that had not been previously documented.
The framework gathers information about the targeted device including the model and the iOS version running on it.
Based on this fingerprinting data, the framework delivers a suitable WebKit remote code execution exploit.
One of the vulnerabilities used in the chain was CVE-2024-23222, a type confusion flaw in Apple’s WebKit browser engine that was patched in January 2024.
The framework appeared again in July 2025 when it was discovered on a domain used to deliver malicious content through hidden iframes on compromised websites in Ukraine.
These sites included pages related to industrial tools, retail services and e commerce platforms.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: