One of the latest openings exploit kit, called Coruna or CryptoWaters, quickly became a hot threat delivering malicious attacks specifically targeting Apple iPhone models. This advanced, creative set of tools takes advantage of holes in iOS versions from 13.0 up to 17.2.1. Coruna has quickly become a darling of cybersecurity professionals and government agencies alike. It’s proud to have 23 different exploits and five different full, end-to-end exploit chains.
Coruna, first identified in Feb 2025, has seen a number of different stages of play. Originally used by a private-sector surveillance company, it was then used by a state-backed government intruder. Fast forward from the end of 2025, financially motivated threat actors from China were taking advantage of its capabilities. As this exploit kit continues to evolve, we must remain vigilant about its use and continuing the fight on personal privacy and data security.
Technical Composition of Coruna
What makes Coruna unique though, is its size library of iOS exploits. It incorporates five full exploit chains targeting specific vulnerabilities, which include:
- Neutron (CVE-2020-27932) for iOS versions 13.x.
- Dynamo (CVE-2020-27950) for iOS versions 13.x.
- buffout (CVE-2021-30952) spanning versions 13 to 15.1.1.
- jacurutu (CVE-2022-48503) for versions 15.2 to 15.5.
- IronLoader (CVE-2023-32409) affecting versions 16.0 to 16.3.
- Photon (CVE-2023-32434) used in versions 14.5 to 15.7.6.
- Gallium (CVE-2023-38606) for 14.x versions.
- Parallax (CVE-2023-41974) applicable in versions 16.4 to 16.7.
- terrorbird (CVE-2023-43000) targeting versions 16.2 to 16.5.1.
- cassowary (CVE-2024-23222) for 16.6 to 17.2.1.
- Sparrow (CVE-2024-23225) covering versions 17.0 to 17.3.
- Rocket (CVE-2024-23296) affecting versions 17.1 to 17.4.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,” stated the Google Threat Intelligence Group (GTIG).
The architecture of Coruna is especially advanced, injecting reusable modules that allow for rapid exploitation of vulnerabilities. The system does a lot to prevent execution on devices in Lockdown Mode. It doesn’t allow for operation when users are using in private browsing mode.
Implications of Coruna’s Usage
Coruna’s rise has shed light on a more unfortunate trend. Perhaps most notably, advanced spyware capabilities are being transferred from commercial vendors to a new breed of state-backed actors and criminal enterprises. iVerify remarked, “Coruna is one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations.”
During the July 2025 period, the exploit kit was most visibly seen on hacked sites in Ukraine. This hints at a geopolitical impetus pushing its use. This connection brings with it understandable concern and apprehension about what this means for users in areas that are impacted by war or civil conflict.
Cybersecurity professionals and civil society have raised serious alarms about how the toolkit can and will be misused at scale. Coruna is changing quickly and getting out ahead of all the other bad guys. This creates a catastrophic liability risk for users and for organizations large and small.
Vulnerabilities and Mitigations
Apple has taken extensive steps to counter some of the vulnerabilities used by Coruna. CVS-2023-43000 was patched in iOS 16.6 and iPadOS 16.6 earlier this year. Yet the constantly changing cyber threat landscape cautions that complacency or outdated revisions must not exist.
Google’s insights further highlight the severity of the situation: “Photon and Gallium are exploiting vulnerabilities that were used as zero-days as part of Operation Triangulation.” This statement drives home the point that most of the vulnerabilities used by Coruna were not previously made public, showcasing just how sophisticated the exploit kit was.
Every day, users make their way through a confusing, frustrating, often dangerous digital world. They should always be aware of possible threats such as Coruna and take proactive measures to safeguard their devices.