A newly identified and highly capable exploit kit dubbed “Coruna” is targeting Apple iPhones, utilizing a collection of 23 distinct exploits across five separate exploit chains. The discovery, made by Google’s Threat Intelligence Group (GTIG), highlights the increasing sophistication of attackers and the potential vulnerabilities within the iOS ecosystem.
Google researchers publicly detailed their findings on February 3, 2026, in a blog post titled “Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit.” The Coruna exploit kit demonstrates a remarkable level of technical prowess, combining a comprehensive array of 23 iOS exploits, including advanced – and in some cases, previously unpublicized – exploit techniques and mitigation bypasses. This poses a significant threat to iPhone users.
The kit is designed to target iPhone models running iOS versions from 13.0 (released in September 2019) up to and including 17.2.1 (released in December 2023). Google’s security researchers first observed the use of this exploit kit in 2025 during highly targeted operations. Initially, the attacks focused on a client of a surveillance vendor, employing the exploits within a previously unknown JavaScript framework that utilized simple, yet unique, JavaScript obfuscation techniques.
Subsequently, the exploit kit was observed in watering-hole attacks targeting users in Ukraine. These attacks are attributed to UNC6353, a threat actor believed to be a Russian state-sponsored espionage group. The researchers were able to recover the complete exploit kit when it was later deployed in large-scale campaigns by a financially motivated Chinese threat actor known as UNC6691. The circumstances surrounding this dissemination remain unclear, leading researchers to speculate about a potential market for “used” zero-day exploits.
Timeline of Coruna’s Deployment
The timeline below, as presented by Google, illustrates the evolution of the exploit kit’s usage. Beyond the exploits identified by Google researchers, multiple threat actors have since acquired advanced exploit techniques that can be reused and modified with newly discovered vulnerabilities.
Source: Google
Expanding Threat Landscape
The Coruna exploit kit’s capabilities extend beyond the initial set of identified exploits. The researchers noted that several threat actors have now obtained advanced exploit techniques, allowing them to reuse and modify them with newly discovered vulnerabilities. Details of these exploits have been published by the Google security team for broader awareness and defensive measures.
The discovery of Coruna underscores the necessitate for a multi-layered approach to mobile security. As Zimperium points out, a robust mobile defense strategy is crucial in the face of increasingly sophisticated threats.
The situation is further complicated by reports suggesting potential U.S.-developed exploits may have been linked to the initial mass iOS attack, as CyberScoop reported. This adds another layer of complexity to the geopolitical implications of the Coruna exploit kit.
The widespread targeting of iOS devices, including those of Ukrainian users, as highlighted by Мілітарний, demonstrates the real-world impact of these vulnerabilities.
As the digital landscape evolves, the discovery of Coruna serves as a stark reminder of the constant need for vigilance and proactive security measures. The potential for a thriving market in zero-day exploits raises concerns about the future of mobile security and the ongoing arms race between attackers and defenders. Continued research and collaboration are essential to mitigate these risks and protect users from increasingly sophisticated threats.
Stay informed about the latest security updates and best practices to protect your devices. Share this article with your network to raise awareness about the Coruna exploit kit and the importance of mobile security.
