"The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks."
"Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations. The use of the sophisticated exploit framework marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment."
Google Threat Intelligence Group discovered Coruna (CryptoWaters), a sophisticated iOS exploit kit containing five complete exploit chains and 23 total exploits targeting Apple iPhone models running iOS versions 13.0 through 17.2.1. The kit features advanced non-public exploitation techniques and mitigation bypasses with well-engineered framework architecture. Since February 2025, the exploit kit has circulated among multiple threat actors, transitioning from commercial surveillance operations to government-backed attackers and finally to financially motivated Chinese threat actors by December. The findings reveal an active market for second-hand zero-day exploits, enabling threat actor reuse. Security researchers note similarities to U.S. government-affiliated frameworks and identify this as the first observed mass exploitation against iOS devices, marking a shift from targeted spyware attacks to broad criminal deployment.
#ios-security-vulnerabilities #exploit-kit-distribution #threat-actor-proliferation #zero-day-exploits #mobile-spyware
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]