Coruna: the iOS operating kit that could turn your iPhone into attack target

Google Threat Intelligence Group has brought out a set of operating tools for iPhone that, because of its complexity and scope, deserves immediate attention: it has been given the name Coruna (also identified as CryptoWaters). This is a modular and very sophisticated operating kit which brings together several complete attack chains for different versions of iOS and which, according to Google's analysis, has been circulating among different actors throughout 2025. You can read Google's technical report on your threat intelligence blog Here. and initial press coverage in WIRED.

What makes Coruna dangerous is not only the quality of the exploits it includes, but the way they are assembled. Google describes a JavaScript framework that first the device(fingerprinting) to identify model and version of iOS, and according to these data load the appropriate WebKit exploit. Then it links a bypass of safety mitigation - such as the avoidance of PAC protection (Pointer Authentication Codes) - and runs the payload. It is a complete chain: recognition, remote code execution and control climbing on the device.

The analysis identified five complete operating chains and a total of 23 exploits targeting iOS versions ranging from 13 to 17.2.1. Among the vulnerabilities used are reported NVD failures such as CVE-2024-23222, CVE-2023-43000 and older ones that cover a wide range of patches. Google also notes that some modules reuse techniques observed in previous campaigns, suggesting the existence of "plug-and-play" components within the kit.

Telemetry rebuilds an interesting story about how this set has moved in hand. According to the researchers, parts of the explosion first appeared in the hands of a client of a commercial surveillance company in early 2024, then it was observed that it was used by a state actor and, finally, by a group with economic motivation from China in late 2025. This transit illustrates the existence of an active market for zero-day exploits and how tools initially designed for targeted surveillance can end up being used in mass campaigns.

The specific uses on the street have varied. In July 2025, the loaded frame was detected as a hidden iphrame from the "cdn.uacounter [.] com" domain in committed sites in Ukraine, aimed only at iPhone users of certain locations; the activity was attributed to a suspicious actor called UNC6353. In December 2025 the same technology reappeared in a network of fake financial cut-off sites in China, this time without geographical restrictions and associated with an actor traced as UNC6691. iVerify mobile security provider warns that Coruna represents one of the first cases in which "state" quality spyware capabilities move to a wider and more commercialized deployment; your report is available Here..

When the explosion achieves the input, the operators do not stay on the compromised device: the delivery of a charger (manager) called PlasmaLoader or PLASMAGRID, designed to decode QR codes contained in images and download additional modules from external servers, has been observed. These modules can be aimed at exfiltering information from cryptoactive applications such as Base, Bitget Wallet, Exodus or MetaMask, which makes the vector a direct risk for users with portfolios on their mobile.

Operators have added resilience mechanisms: the implant contains coded command and control servers and a domain generator algorithm (DGA) that, according to Google, uses the "lazarus" chain as seed to generate predictable domains with TLD .xyz; they also use resolutions with Google's public DNS to verify whether those domains are active. A debugging version of the kit was also found in the infrastructure of the attackers, which helped the researchers map five full operating chains and the 23 vulnerabilities taken advantage of.

A relevant technical detail is that Coruna avoids running if the device is in Block mode(Lockdown Mode) or if the user sails in private mode. Apple offers information on this mode, which radically limits the attack surface for targeted threats: How the Lock Mode works. In addition, Apple has patched many of the vulnerabilities exploited in recent updates; the official Apple security updates page is a good practice: Apple Security Updates.

What does this mean for an average user? First, that not all iPhone were vulnerable: Coruna exploited failures that affect specific versions of iOS and, according to Google, not effective against the latest versions which already include the necessary patches. However, many devices are not kept up to date and remain an easy target. Second, the way of delivery: legitimate compromised sites or false pages that expressly ask that you visit them "from your iPhone for a better experience" are clear lures; if a web insists that you open it on a mobile, you have to be distrusted. Third, if you use cryptomoneda portfolios on the device you must extreme the precautions with links, QR and holders that offer downloads or experience improvements.

The practical and urgent recommendation is clear: update your iPhone to the latest version of iOS Apple publishes, and if you want an extra layer of protection activate the locking mode. Maintaining automatic updates, avoiding opening suspicious links from SMS or social networks and not using open Wi-Fi networks for sensitive transactions significantly reduces risk. For safety administrators and professionals, the finding underlines the need to monitor unusual traffic, review iframes and third-party sources on web pages and consider additional control of WebKit's operation detection.

Beyond the technical guide, Coruna represents a change of time: for the first time, according to various analysts, a scale use of an iOS operating toolkit was documented which originally looked "spyware-grade." This transit from commercial tools to state actors and, finally, criminal for profit shows how the availability of valuable vulnerabilities accelerates the pollution of the ecosystem. If you want to deepen technical details and chronology, Google reports and specialized coverage are recommended sources: GTIG report, the piece of WIRED and analysis of iVerify.

In the end, the lesson is back to the usual but more urgently: the outdated software is an open door. Keep your device up-to-date, activate additional protections such as the Lock Mode and mistrust sites or messages that ask for concrete actions on your iPhone, especially if they involve opening links, downloading content or scanning QR codes. This case - Coruna - is a reminder that monitoring and exploitation tools can end up turned into far-reaching weapons.