Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

The Coruna kit represents a rare convergence of depth and breadth in iOS offensive tooling. By bundling five complete exploit chains and 23 individual vulnerabilities that span iOS 13.0 through 17.2.1, the kit bypasses Apple’s layered mitigations with non‑public techniques such as kernel‑level code‑execution and sandbox evasion. Historically, iOS exploit development has been resource‑intensive, making a single, reusable kit of this scale especially valuable to attackers seeking high‑value targets like government officials or financial institutions.

GTIG’s timeline shows Coruna moving quickly across distinct threat‑actor profiles. A surveillance‑vendor customer first deployed the kit in precision espionage, after which the Russian‑linked UNC6353 repurposed it for watering‑hole attacks against Ukrainian users. The final hand‑off to the China‑based, financially motivated UNC6691 illustrates a burgeoning secondary market for zero‑day exploits, where sophisticated code is bought, modified, and resold. This fluidity blurs traditional lines between state‑sponsored and criminal operations, amplifying the overall threat surface for iOS devices worldwide.

For enterprises and consumers, the emergence of Coruna underscores the urgency of maintaining up‑to‑date iOS versions and employing layered defenses such as mobile threat detection and network segmentation. Security teams should monitor threat‑intel feeds for indicators of compromise tied to the kit’s known payloads and consider threat‑hunting for anomalous app behavior. As Apple continues to harden its platform, attackers are likely to shift toward buying ready‑made exploit kits rather than developing new ones, making market surveillance an essential component of a robust cyber‑risk strategy.