Coruna iOS Exploit Kit: Spy Tool to Mass Cybercrime

Key Takeaways

• Coruna is a JavaScript-delivered iOS exploit kit comprising 23 exploits organized across five sequential exploitation chains, capable of achieving full device compromise — including kernel and Page Protection Layer (PPL) bypass — from a single malicious web page visit on iPhones running iOS 13.0 through iOS 17.2.1 [1][2].
• Google’s Threat Intelligence Group (GTIG) and mobile security firm iVerify simultaneously disclosed the kit on March 3–5, 2026, after tracking it from its initial deployment in February 2025 [1][3].
• Attribution reporting links the kit’s origin to L3Harris Trenchant, a U.S. defense contractor’s offensive cyber division, with a former executive sentenced in early 2026 to 87 months in prison for selling eight zero-day exploits — including components of Coruna — to a Russian exploit broker for approximately $1.3 million in cryptocurrency (attribution contested; see Discovery and Attribution section) [4][5].
• The kit migrated from targeted surveillance operations to a Russian espionage watering-hole campaign in mid-2025 and then to mass-scale Chinese financially motivated cybercrime by December 2025 — traversing the intelligence-to-criminal pipeline in under a year [1][5][6].
• Apple’s Lockdown Mode explicitly blocks Coruna — the framework checks for it and halts execution — providing a confirmed effective defense for high-risk users while broader patches for older iOS devices were released as emergency updates in March 2026 [7][8].
• CISA added three associated CVEs (CVE-2021-30952, CVE-2023-41974, CVE-2023-43000) to its Known Exploited Vulnerabilities catalog on March 5, 2026, mandating federal agency remediation by March 26, 2026 [9].

Background

The Commercial Exploit Ecosystem and iOS as a High-Value Target

iOS devices have commanded exploit prices ranging from hundreds of thousands to millions of dollars on commercial and gray markets, making them among the highest-value targets in the commercial surveillance industry [10]. Their ubiquity among government officials, journalists, activists, and executives — combined with Apple’s historically strong security posture — means that functional iOS exploit chains remain in persistent demand. The dominant commercial surveillance vendors, including NSO Group (Pegasus), Candiru, and Intellexa, have spent years developing and maintaining iOS zero-day libraries.

What makes the Coruna disclosure analytically significant is not merely its technical sophistication, but the documented trajectory its components followed: from a U.S. government contractor to a Russian intelligence broker to nation-state espionage operations and, ultimately, mass-scale criminal campaigns — all within a 12-month window [5].

Discovery and Attribution

Google GTIG first observed a partial iOS exploit chain in February 2025 during investigation of a surveillance vendor customer’s operations. Over the following year, the framework appeared in increasingly diverse contexts before GTIG and iVerify coordinated simultaneous public disclosure between March 3 and 5, 2026 [1][3]. The name “Coruna” comes from a debug version of the kit inadvertently exposed by a threat actor, which revealed all internal exploit codenames. iVerify, which independently tracked the framework under the internal designation “CryptoWaters,” confirmed GTIG’s findings and identified additional targeting of WhatsApp beyond what GTIG had documented [3].

The origin story is intertwined with a federal criminal case. Peter Williams, 39, a former general manager at Trenchant — the offensive cyber division of U.S. defense contractor L3Harris — was sentenced in early 2026 to 87 months in federal prison for stealing at least eight zero-day exploits from L3Harris over three years beginning in 2022 and selling them to Operation Zero, a Russian exploit broker, for approximately $1.3 million in cryptocurrency [4][5]. Security researcher Costin Raiu noted that the bird-themed naming convention used for Coruna’s exploits — Cassowary, Terrorbird, Bluebird, Jacurutu, Sparrow, Photon, Gallium — is consistent with Trenchant’s known internal conventions, where their most public prior chain was named “Condor” [4]. Kaspersky disputed aspects of the attribution: researcher Boris Larin publicly rejected the inference that Coruna shares code with Operation Triangulation, stating that Kaspersky found “no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors” [11]. The precise path from Trenchant to public operational use via Operation Zero remains under investigation.

Security Analysis

Exploitation Architecture: Five Sequential Chains

Coruna is delivered as a JavaScript web framework that fingerprints the visiting device — inferring iPhone model and iOS version — before selecting and executing the most suitable of five exploitation chains. This fingerprinting step is also where the framework detects Lockdown Mode and private browsing, halting execution if either is active [7]. Each chain is designed to achieve full device compromise from a web-based drive-by: no user interaction beyond visiting a malicious or compromised page is required.

The five chains are architecturally sequential in capability: each layer builds on the previous one to escalate from initial code execution within the browser to complete operating system control.

Each of the five chains targets a specific iOS version range within the iOS 13.0–17.2.1 window, allowing the kit to maintain operational coverage across approximately four years of device software. Because the kit fingerprints before attacking, it selects the chain most likely to succeed against the specific combination of device model and OS version encountered [1].

The 23 Exploits: Known CVEs and Codenames

Across all five chains, the kit employs 23 discrete exploits. Not all have been assigned public CVE identifiers; GTIG noted that several cover vulnerabilities that Apple patched without public CVE assignment, and others involve exploitation techniques not previously documented in public research [1]. The following table lists the ten CVEs that have been explicitly attributed to Coruna across reporting; the remaining 13 exploits are either unassigned or have not been publicly disclosed, and the table should not be read as a complete inventory.

Two components have a documented prior history beyond the Coruna context: Photon (CVE-2023-32434) and Gallium (CVE-2023-38606) were previously deployed as zero-days in Operation Triangulation, the Russian-linked iOS espionage campaign uncovered by Kaspersky in 2023 [12]. Their reappearance in Coruna suggests either shared development lineage or that the Williams/Operation Zero sale included Operation Triangulation components, a possibility prosecutors have not publicly confirmed. The reusable module rwx_allocator, embedded in the framework for bypassing memory protection across chains, represents a shared infrastructure component that GTIG characterized as technically non-trivial [1].

Operational Evolution: From Surveillance to Mass Cybercrime

The documented operational timeline of Coruna is consistent with a proliferation pattern that cybersecurity researchers have increasingly documented across commercial spyware ecosystems: sophisticated tools developed for targeted surveillance proliferating into mass-scale criminal use.

Google GTIG characterized this trajectory as “suggesting an active market for second-hand zero-day exploits” [1]. iVerify stated it represented “one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations” [3]. The UNC6691 campaign in particular suggested that Coruna required no apparent technical modification for mass deployment — with what analysts observed as the only operational change being the lure infrastructure and targeting criteria — though the full extent of any internal changes the operators may have made is not publicly documented.

Defensive Effectiveness of Lockdown Mode

A notable operational finding in the Coruna disclosure is the confirmed effectiveness of Apple’s Lockdown Mode as a defense. The Coruna framework contains an explicit check that detects whether the device is running in Lockdown Mode or Private Browsing and halts execution if either condition is true [7]. This is not a coincidental bypass failure — the explicit check suggests the kit was designed to avoid triggering anomalous behavior that might surface in security tooling, and Lockdown Mode introduces enough WebKit restrictions that the exploit chains cannot reliably execute. For high-risk users — government officials, journalists, activists, executives in sensitive industries — this represents actionable guidance: enabling Lockdown Mode on iOS 16+ devices that cannot be immediately updated to iOS 17.3+ significantly reduces exposure to this specific threat.

Recommendations

Immediate Actions

The most critical immediate action is updating iOS on all managed and personal devices to version 17.3 or later, which is not vulnerable to Coruna. Users on iOS 17.2.1 or earlier should update to the current release without delay. For older devices that cannot run iOS 17, Apple released emergency updates — iOS 16.7.15 and iOS 15.8.7 — in March 2026 specifically to address vulnerabilities exploited by Coruna [8].

For users and organizations that cannot immediately update — including those managing older hardware with iOS version ceilings — enabling Lockdown Mode is a confirmed effective mitigation against Coruna. The usability trade-offs associated with Lockdown Mode, including restricted web browsing and limited messaging features, are real but appropriate for high-risk contexts. The mode can be deployed at scale via MDM configuration profiles, removing the dependency on individual user action.

Federal agencies face a binding deadline: CISA’s Known Exploited Vulnerabilities mandate under BOD 22-01 requires remediation of CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 by March 26, 2026 [9]. MDM administrators should verify managed device compliance against enrolled inventory and document remediation status before that date.

Short-Term Mitigations

Enterprise mobile device management (MDM) teams should audit their device inventory for iOS versions below 17.3 and establish a remediation tracking workflow. Devices that cannot be updated — particularly older iPhone models capped at iOS 15 or 16 — represent persistent exposure and warrant inventory decisions about replacement or restricted network access. Mobile threat defense (MTD) platforms from vendors including iVerify and Zimperium have released detection signatures for Coruna indicators of compromise; security operations teams with MTD deployments should verify those signatures are active [3][13].

Organizations managing devices used by high-risk personnel — security researchers, government contractors, journalists, executives with access to sensitive systems — should evaluate Lockdown Mode as a policy-enforced default for those device profiles. Apple’s Lockdown Mode policy can be deployed via MDM configuration profiles, making it manageable at scale without requiring individual user action.

Strategic Considerations

The Coruna disclosure reinforces three strategic concerns that security and risk leaders should incorporate into their mobile security frameworks. First, the second-hand zero-day market is operational and consequential: capabilities built for targeted nation-state surveillance reached mass criminal deployment within 12 months, meaning organizations should not assume they are not targeted by tools originally designed for high-value surveillance. The threat surface for financially motivated actors now includes nation-state-grade mobile exploit kits.

Second, the insider threat vector for exploit tool theft deserves renewed attention. The Williams/Trenchant case illustrates that offensive cyber capabilities can be exfiltrated and monetized by a single insider over multiple years without detection — a scenario that should prompt organizations handling vulnerability research to examine whether their insider threat programs would detect analogous behavior. Organizations in the defense industrial base that develop or handle vulnerability research and offensive tooling should review their insider threat monitoring programs for anomalous access to exploit repositories, unusual data transfers, and financial indicators consistent with illicit sales.

Third, the iOS security model continues to demonstrate that depth-of-defense across WebKit hardening, kernel protections, PAC, and PPL creates meaningful friction even for sophisticated adversaries: Coruna requires 23 exploits and five chained stages to achieve full compromise, and a single defensive layer (Lockdown Mode) is sufficient to block the current kit as analyzed. This argues for organizations continuing to invest in and enforce OS-level hardening rather than treating mobile security as primarily an application-layer problem. Separately, network-enforced zero trust controls — including cloud access policies that reject devices failing OS version compliance checks — can reduce the lateral impact of a Coruna compromise by restricting what the compromised device can reach. However, zero trust controls that rely on on-device attestation agents may themselves be compromised once an attacker achieves kernel-level access, and this limitation should inform architecture decisions about where device posture enforcement is anchored.

CSA Resource Alignment

The Coruna exploit kit disclosure connects to several established CSA frameworks and guidance documents:

CSA Mobile Application Security Testing (MAST) Framework provides vetting methodologies for mobile applications and, by extension, guidance on mobile security posture. Organizations using the MAST framework should extend their mobile security assessments to include OS-level exploit exposure as a risk dimension, not only application-layer vulnerabilities [14].

CSA Mobile Top Threats identifies watering hole attacks, drive-by exploitation, and unpatched OS vulnerabilities as persistent mobile threat categories. Coruna instantiates all three simultaneously and provides current empirical validation for threat modeling exercises conducted against the Mobile Top Threats taxonomy [15].

CSA Security Guidance for Critical Areas of Mobile Computing provides foundational guidance on mobile device management, patching, and BYOD security governance. The core recommendation — maintaining device fleet currency through aggressive patch management — is directly applicable to the Coruna scenario and should be reinforced in enterprise mobile security policies [16].

CSA STAR (Security Trust Assurance and Risk) program: Organizations seeking cloud and technology vendor risk assessments should incorporate mobile OS patch posture as a CCM control domain factor. Unpatched mobile devices used to access cloud services represent a potential lateral entry point, as demonstrated by Coruna’s full-device compromise capabilities.

CSA Zero Trust Guidance: Coruna’s ability to achieve kernel-level compromise from a single web visit underscores the importance of treating mobile devices as untrusted network endpoints rather than trusted internal clients. Zero trust architectures that enforce continuous device posture evaluation — including OS version compliance — provide meaningful controls at the network layer, though on-device attestation components should be treated as potentially unreliable after kernel compromise has occurred.

References

[1] Google Threat Intelligence Group, “Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit,” Google Cloud Blog, March 2026. https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

[2] The Hacker News, “Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1,” The Hacker News, March 2026. https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

[3] iVerify, “Coruna: Inside the Nation-State-Grade iOS Exploit Kit We’ve Been Tracking,” iVerify Blog, March 2026. https://iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking

[4] Kim Zetter, “Trenchant Exec Who Sold Zero-Day Exploits to Russian Buyer Sentenced to 7 Years in Prison,” Zetter Zero Day, 2026. https://www.zetter-zeroday.com/trenchant-exec-who-sold-his-employers-zero-day-exploits-to-russian-buyer-sentenced-to-7-years-in-prison/

[5] CyberScoop, “Ex-L3Harris executive sentenced to 87 months for selling zero-days to Russian broker,” CyberScoop, 2026. https://cyberscoop.com/l3harris-executive-peter-williams-sentenced-zero-day-exploits-russia/

[6] CSO Online, “Coruna iOS exploit kit moved from spy tool to mass criminal campaign in under a year,” CSO Online, March 2026. https://www.csoonline.com/article/4141167/coruna-ios-exploit-kit-moved-from-spy-tool-to-mass-criminal-campaign-in-under-a-year.html

[7] MacRumors, “This iOS Exploit Kit Has 23 Attacks – But Lockdown Mode Stops It Cold,” MacRumors, March 5, 2026. https://www.macrumors.com/2026/03/05/ios-exploit-kit-lockdown-mode-stops-it/

[8] BleepingComputer, “Apple patches older iPhones and iPads against Coruna exploits,” BleepingComputer, March 11, 2026. https://www.bleepingcomputer.com/news/apple/apple-patches-older-iphones-and-ipads-against-coruna-exploits/

[9] SC Media, “3 Apple flaws from Coruna exploit kit added to CISA vulnerability list,” SC Media, March 5, 2026. https://www.scworld.com/news/3-apple-flaws-from-coruna-exploit-kit-added-to-cisa-vulnerability-list

[10] SecurityWeek, “Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks,” SecurityWeek, March 2026. https://www.securityweek.com/nation-state-ios-exploit-kit-coruna-found-powering-global-attacks/

[11] The Register, “Kaspersky: No signs Coruna iPhone exploit kit made by US,” The Register, March 4, 2026. https://www.theregister.com/2026/03/04/kaspersky_dismisses_claims_that_coruna/

[12] Kaspersky GReAT, “Operation Triangulation: The last (hardware) mystery,” Securelist, December 2023. https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

[13] Zimperium, “Coruna iOS Exploit Kit Highlights the Need for Multi-Layer Mobile Defense,” Zimperium Blog, March 2026. https://zimperium.com/blog/coruna-ios-exploit-kit-highlights-the-need-for-multi-layer-mobile-defense

[14] Cloud Security Alliance, “Mobile Application Security Testing,” CSA, 2023. https://cloudsecurityalliance.org/research/working-groups/mobile-application-security/ [URL requires verification — returned 404 as of 2026-03-13]

[15] Cloud Security Alliance, “Mobile Top Threats,” CSA. https://cloudsecurityalliance.org/research/working-groups/mobile-working-group/ [URL requires verification — returned 404 as of 2026-03-13]

[16] Cloud Security Alliance, “Security Guidance for Critical Areas of Mobile Computing,” CSA. https://cloudsecurityalliance.org/research/published-research/security-guidance-for-critical-areas-of-mobile-computing/ [URL requires verification — returned 404 as of 2026-03-13]