What is Coruna?
Researchers from Google and iVerify disclosed in early March 2026 a sophisticated exploit kit dubbed Coruna, described as “nation-state grade,” enabling mass exploitation against Apple’s iOS ecosystem. The toolkit packs 23 individual exploits organized into five complete attack chains.
Coruna targets Apple iPhone models running iOS versions 13.0 through 17.2.1. The exploit kit relies on WebKit vulnerabilities (CVE-2023-43000 and CVE-2024-23222) that can be triggered by processing maliciously crafted web content.
The attack typically begins when a user visits a compromised website that runs hidden JavaScript to detect device details such as model, system version, and security configuration. Once the device is identified as vulnerable, the exploit bypasses several layers of iOS security protections and gains higher system privileges, allowing attackers to install malware capable of collecting data or downloading additional malicious modules.
Threat Actor Activity
The Coruna exploit kit has been used by multiple threat groups since February 2025, including a suspected Russian state-backed hacking group (UNC6353), a surveillance vendor customer, and a financially motivated Chinese threat actor (UNC6691). UNC6691 was spotted deploying the exploit kit on fake gambling and crypto websites to deliver malware payloads that stole cryptocurrency wallets from infected victims’ devices.
It’s suspected that Operation Zero acquired Coruna and sold it to other threat actors, including financially motivated cybercriminals. Peter Williams, a former general manager at L3Harris Trenchant, was sentenced to over seven years in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero.
Apple’s Patching Response
Apple released iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7, confirming they address kernel and WebKit vulnerabilities associated with the Coruna exploit for devices that cannot update to the latest iOS version.
Vulnerabilities patched:
iOS and iPadOS 15.8.7 patch four vulnerabilities: CVE-2023-41974 (a kernel use-after-free issue), CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010 (three WebKit flaws). iOS and iPadOS 16.7.15 addresses CVE-2023-43010.
Affected legacy devices include:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPhone 8, iPhone 8 Plus, iPhone X, iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation.
CISA Action
CISA added three of the 23 Coruna-associated vulnerabilities to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch their iOS devices by March 26, 2026.
Key Mitigation Notes
Coruna skips execution on devices in Lockdown Mode or when the user is in private browsing. Users are advised to keep devices updated and enable Lockdown Mode for enhanced security.
Devices already on iOS 26 are not affected — this update is specifically for older legacy devices that cannot be upgraded to the latest iOS version.
