Apple has backported patches for iOS 15 and 16 devices just this week, with iOS 15.8.7 and iOS 16.7.15 released to address the kernel and WebKit vulnerabilities associated with Coruna for devices that cannot update to the current iOS release.
The company's equivalent generation iPadOS operating systems were also patched.
Google's Threat Intelligence Group (GTIG) identified Coruna in early 2025, with security vendor iVerify conducting independent parallel analysis and publishing its findings simultaneously with Google in early March 2026.
The Coruna kit packs 23 exploits across five complete iOS exploit chains targeting devices running iOS 13 through 17.2.1, with the most advanced techniques using non-public exploitation methods and mitigation bypasses.
GTIG first observed the kit in February 2025 in use by a customer of a commercial surveillance vendor, before tracking it to watering hole attacks by UNC6353.
This is a suspected Russian state-sponsored group attacking Ukrainian websites, with GTIG ultimately tracking Coruna to a financially motivated Chinese criminal group deploying it via fake cryptocurrency exchange and gambling sites.
Researchers gained insight into the kit's internals after a threat actor mistakenly deployed a debug version, exposing internal code names and documentation embedded throughout the framework.
_(36).jpg&h=140&w=231&c=1&s=0)
_(33).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
_(1).jpg&h=140&w=231&c=1&s=0)
