A sophisticated exploit kit dubbed “Coruna” has been circulating among a surprisingly diverse range of threat actors, raising concerns about a secondary market for zero-day vulnerabilities. Google’s Threat Intelligence Group (GTIG) detailed the kit’s capabilities and unusual journey, from initial utilize by a surveillance vendor to deployment in espionage campaigns and, financially motivated attacks. The discovery highlights the growing risk of advanced hacking tools falling into the wrong hands and the challenges of securing mobile devices against increasingly complex threats.
The Coruna exploit kit, capable of targeting iPhones running iOS 13.0 through 17.2.1, contains a staggering 23 exploits across five distinct exploit chains. This comprehensive collection includes both publicly known vulnerabilities and previously uncatalogued flaws, leveraging techniques to bypass security mitigations. The proliferation of this kit underscores a troubling trend: the commoditization of zero-day exploits, where vulnerabilities are bought, sold, and reused by different actors with varying motivations. The Cybersecurity and Infrastructure Security Agency (CISA) has already taken action, adding three of the identified vulnerabilities to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply available mitigations.
From Surveillance to Espionage to Financial Gain
Google first detected Coruna in February 2025, observing its use by a customer of a surveillance vendor. The initial exploit targeted CVE-2025-23222, a vulnerability that had already been patched 13 months prior. Later, in July 2025, a suspected Russian espionage group leveraged CVE-2023-43000 in attacks targeting Ukrainian users, planting malicious code on websites frequented by those individuals. The most recent – and perhaps most concerning – development came in December 2025, when a financially motivated threat actor operating from China gained access to the complete Coruna exploit kit. It was during this phase that Google was able to retrieve and analyze the full extent of the kit’s capabilities.
“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google researchers wrote in their report. This observation points to a disturbing reality: vulnerabilities aren’t necessarily a one-time use asset. Once discovered and exploited, they can be traded and redeployed, extending their lifespan and increasing the potential for widespread harm. The researchers also noted that multiple threat actors have now acquired advanced exploitation techniques, which can be adapted to exploit newly discovered vulnerabilities.
A Deep Dive into the Exploits
The Coruna kit’s versatility stems from its diverse range of exploits, targeting different components of the iOS operating system. These exploits fall into several categories, including WebContent R/W (read/write), WebContent PAC bypass, sandbox escape, and PPL (Pointer Authentication Code) bypass. Some exploits, like CVE-2023-43000, an Apple iOS Use-After-Free vulnerability, have been publicly disclosed and patched. Others remain unassigned CVE identifiers, indicating they were previously unknown to the wider security community. The kit’s ability to target a broad range of iOS versions – from 13.0 to 17.2.1 – further amplifies its potential impact.
CISA has added three CVEs from the Coruna kit to its catalog, directing federal agencies to prioritize mitigation efforts. These include: CVE-2021-30952 (Apple Multiple Products Integer Overflow or Wraparound Vulnerability), CVE-2023-41974 (Apple iOS and iPadOS Use-After-Free Vulnerability), and CVE-2023-43000 (Apple Multiple products Use-After-Free Vulnerability). The agency’s guidance emphasizes the importance of applying vendor-provided patches, following cloud service security recommendations, and, if mitigations are unavailable, discontinuing use of the affected products. CISA warned that these vulnerabilities are “frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
Here’s a breakdown of some of the exploits found within the Coruna kit:
| Type | Codename | Targeted versions (inclusive) | Fixed versions | CVE |
|---|---|---|---|---|
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
What’s Next?
The discovery of Coruna and its subsequent proliferation serve as a stark reminder of the evolving threat landscape facing mobile devices. The ease with which this exploit kit changed hands underscores the need for enhanced vulnerability disclosure practices, improved security measures, and greater collaboration between security researchers, vendors, and government agencies. Apple has consistently released security updates to address vulnerabilities, and users are strongly encouraged to keep their devices updated to the latest iOS version. As the market for zero-day exploits continues to mature, proactive defense and rapid response will be crucial in mitigating the risks posed by sophisticated attack tools like Coruna.
What are your thoughts on the growing secondary market for exploits? Share your insights in the comments below.
