Full Report
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It's not effective against the latest version of iOS. The findings were first reported by WIRED. "The
Analysis Summary
# Tool/Technique: Coruna (aka CryptoWaters)
## Overview
Coruna is a sophisticated and "powerful" iOS exploit kit identified by Google Threat Intelligence Group (GTIG). It is a modular JavaScript-based framework designed to deliver full exploit chains to Apple iPhone users. The kit is notable for its transition from commercial surveillance use to nation-state espionage, and ultimately to mass-scale cybercriminal operations, marking a significant shift from targeted spyware to broad exploitation.
## Technical Details
- **Type:** Exploit Kit / JavaScript Framework
- **Platform:** iOS (specifically versions 13.0 through 17.2.1)
- **Capabilities:** Device fingerprinting, WebKit Remote Code Execution (RCE), Pointer Authentication Code (PAC) bypass, and automated exploit delivery.
- **First Seen:** February 2025 (circulating among surveillance operations); components captured earlier in 2024.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise]: Delivery via hidden iFrames on compromised websites.
- **[TA0007 - Discovery]**
- [T1518.001 - Software Inventory]: Device fingerprinting to identify iOS version and iPhone model.
- **[TA0002 - Execution]**
- [T1203 - Exploitation for Client Execution]: Utilizing WebKit vulnerabilities to execute code.
- **[TA0005 - Defense Evasion]**
- [T1548 - Abuse Elevation Control Mechanism]: Bypassing iOS security mitigations like Pointer Authentication Code (PAC).
## Functionality
### Core Capabilities
- **Sophisticated Fingerprinting:** The JavaScript framework determines if the device is a legitimate target (not a sandbox/research environment) and gathers precise model and OS version details.
- **Targeted Modular Delivery:** Automatically selects and loads one of five specific exploit chains based on the gathered device profile.
- **Broad Exploit Library:** Contains 23 total exploits, including both public zero-days and non-public exploitation techniques.
### Advanced Features
- **PAC Bypass:** Includes advanced mitigation bypasses to overcome modern iOS hardware-level security protections.
- **Geolocation Fencing:** Capability to deliver the framework only to users in specific geographic regions (e.g., Ukraine).
- **Stealth Integration:** Deployed via hidden iFrames on legitimate compromised websites (industrial, retail, and e-commerce sites).
## Indicators of Compromise
- **File Names:** Integrated into a specific JavaScript framework.
- **Network Indicators:**
- `cdn.uacounter[.]com` (Used for framework delivery)
- Fake Chinese finance-themed domains.
- **Behavioral Indicators:**
- WebKit process crashes or unexpected behavior while browsing compromised sites.
- Hidden iFrame injections in web traffic.
## Associated Threat Actors
- **UNC6353:** A suspected Russian espionage group.
- **Commercial Surveillance Vendors (CSV):** Original developers (unnamed).
- **Financially Motivated Actors:** Chinese-based groups active by late 2025.
## Detection Methods
- **Behavioral Detection:** Monitoring for unusual WebKit memory allocation patterns or PAC failure logs on mobile devices.
- **Network Defense:** Inspecting for hidden iFrames originating from known malicious CDNs or suspicious third-party domains.
- **Device Audits:** Using mobile security tools (like iVerify) to check for historical exploitation artifacts or system integrity failures.
## Mitigation Strategies
- **Update Software:** OS updates are the primary defense; Coruna is ineffective against iOS versions later than 17.2.1.
- **Web Security:** Implementation of Content Security Policy (CSP) on websites to prevent the loading of unauthorized third-party iFrames.
- **Isolation:** Use of lockdown modes or hardened browser settings for high-risk individuals.
## Related Tools/Techniques
- **CVE-2024-23222:** WebKit Type Confusion.
- **CVE-2022-48503:** WebKit vulnerability.
- **CVE-2023-43000:** WebKit Use-After-Free flaw.
- **Pegasus / Predator:** Similar "spyware-grade" capabilities originally developed by commercial surveillance firms.