Coruna Exploit Kit Targets iPhones: Mass iOS Exploitation Observed

Google has identified a powerful exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone devices running iOS 13.0 through 17.2.1.

The toolkit includes five full exploit chains and 23 separate vulnerabilities — some using advanced, non-public techniques. It is not effective against the latest iOS versions, meaning patched devices are protected.

What Is It?

Coruna is a sophisticated iOS exploit framework originally linked to commercial surveillance activity. Over time, it reportedly circulated between threat actors — including nation-state and financially motivated groups.

It delivers WebKit-based exploits (including patched CVEs like CVE-2024-23222) through compromised or fake websites. Once triggered, it can deploy additional malware capable of stealing cryptocurrency wallets and sensitive app data.

What makes this different?

This appears to be one of the first observed mass exploitation campaigns targeting iOS devices, rather than highly targeted spyware operations.

Why Should You Care?

For years, iPhones were seen as “low risk” compared to other platforms.

This campaign shows:

• Exploit kits for iOS are being reused and resold

• Zero-days are entering broader criminal markets

• Spyware-grade tools are shifting toward mass deployment

If devices aren’t updated, they may be exposed — especially when browsing compromised sites.

What Can You Do?

Simple but critical steps:

• ✅ Keep all iPhones and iPads updated to the latest iOS version

• ✅ Enable Lockdown Mode on high-risk devices

• ✅ Limit unmanaged BYOD access to corporate data

• ✅ Educate users about suspicious or finance-themed websites

Mobile threats are evolving. iOS is no longer immune to large-scale exploitation.

If your organization relies on mobile devices for business operations, Britec can help you assess your mobile security posture and ensure you’re not exposed to outdated vulnerabilities.

Stay updated. Stay protected.