Full Report
From the Google Threat Intelligence Group: Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of... Source
Analysis Summary
# Tool/Technique: Coruna Exploit Kit
## Overview
Coruna is a sophisticated and powerful iOS-specific exploit kit identified by the Google Threat Intelligence Group (GTIG). It is designed to weaponize multiple vulnerabilities to deliver surveillance or malware payloads. The kit is notable for its high level of technical maturation, featuring multiple full exploit chains that target a wide range of iOS versions. It has been observed transitioning from use by commercial surveillance vendors to state-backed espionage groups and, eventually, financially motivated actors.
## Technical Details
- **Type:** Exploit Kit / Framework
- **Platform:** iOS (Versions 13.0 through 17.2.1)
- **Capabilities:** Multi-stage exploitation, mitigation bypass, watering hole deployment.
- **First Seen:** Tracked activity throughout 2025 (targeting vulnerabilities dating back to 2019).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (Watering hole attacks targeting specific user groups)
- **[TA0002 - Execution]**
- [T1203 - Exploitation for Client Execution] (Use of 23 distinct exploits)
- **[TA0004 - Privilege Escalation]**
- [T1068 - Exploitation for Privilege Escalation] (Kernel-level exploit chains)
- **[TA0005 - Defense Evasion]**
- [T1548 - Abuse Elevation Control Mechanism] (Bypassing iOS security mitigations)
## Functionality
### Core Capabilities
- **Comprehensive Exploit Library:** Contains 23 individual exploits bundled into five full, end-to-end iOS exploit chains.
- **Broad Version Targeting:** Capable of compromising Apple devices running legacy OS versions (iOS 13) as well as relatively modern versions (iOS 17.2.1).
- **Automated Delivery:** Utilized in watering hole attacks to infect users automatically upon visiting compromised websites.
### Advanced Features
- **Non-Public Techniques:** Employs sophisticated exploitation methods and "zero-day" quality techniques that were not part of public research at the time of discovery.
- **Mitigation Bypasses:** Advanced code designed specifically to circumvent Apple’s hardware and software security protections (e.g., PAC, PPL).
- **Cross-Sector Proliferation:** The kit’s architecture allows it to be easily "re-sold" or transferred between different types of threat actors, from surveillance companies to cybercriminals.
## Indicators of Compromise
*Note: Specific file hashes and C2 addresses were not detailed in the provided summary article. General behavioral indicators are listed below.*
- **File Hashes:** [Not provided in source]
- **File Names:** [Not provided in source]
- **Network Indicators:** [Not provided in source; monitor for connections to suspicious third-party domains during web browsing]
- **Behavioral Indicators:**
- Unexpected system reboots on iOS devices.
- Increased battery drain or device heat while browsing specific regional websites (indicative of exploitation attempts).
- Presence of unauthorized configuration profiles.
## Associated Threat Actors
- **Commercial Surveillance Vendors (CSVs):** Initial developers and primary users for targeted spying.
- **UNC6353:** A suspected Russian espionage group that utilized the kit in watering hole attacks targeting Ukrainian users.
- **UNC6691:** A financially motivated threat actor operating from China that used the kit for broad-scale campaigns.
## Detection Methods
- **Signature-based detection:** Scanning for known exploit strings within web traffic and mobile backups.
- **Behavioral detection:** Monitoring for unusual process spawning in iOS (e.g., shell access or unauthorized escalation from the browser sandbox).
- **System Integrity Checks:** Using mobile security suites to verify the integrity of the iOS kernel and system partition.
## Mitigation Strategies
- **Patch Management:** **Immediately update iOS to the latest available version.** The kit specifically targets versions up to 17.2.1; newer versions contain mitigations against these specific chains.
- **Lockdown Mode:** Enable Apple's "Lockdown Mode" for high-risk individuals to reduce the attack surface of the browser and OS.
- **Safe Browsing:** Avoid visiting unverified or high-risk regional websites that may serve as watering holes.
## Related Tools/Techniques
- **Pegasus (NSO Group):** Similar in its use of zero-click and one-click iOS exploit chains.
- **Predator (Cytrox):** A comparable commercial surveillance tool targeting mobile platforms.
- **Operation Triangulation:** A similar campaign involving sophisticated multi-stage iOS exploits discovered by Kaspersky.