Skip to main content
List Directory
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Menu
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Coruna Exploit Kit: 23 iOS Zero-Days Used by Hackers & Spies

Coruna Exploit Kit: 23 iOS Zero-Days Used by Hackers & Spies

March 7, 2026 Sarah Wu - Tech Editor Tech and Science

Federal agencies have been directed to patch three recently identified vulnerabilities in Apple’s iOS operating system following revelations about a sophisticated exploit kit dubbed Coruna, also known as CryptoWaters. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 to its Known Exploited Vulnerabilities (KEV) catalog on March 5, 2026, requiring federal civilian executive branch agencies to remediate these flaws by March 26, 2026. The move underscores growing concern over the proliferation of exploit tools and the potential for widespread compromise of Apple devices.

Coruna: A Comprehensive iOS Exploit Kit

Coruna is notable for its breadth, encompassing 23 distinct exploits chained together into five complete attack sequences targeting iOS versions 13.0 through 17.2.1. Google’s Threat Intelligence Group (GTIG) first identified the kit, noting its “comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.” The kit’s sophistication extends to its engineering, with Google researchers describing the exploit pieces as “all connected naturally and combined together using common utility and exploitation frameworks.” This suggests a high level of development effort and a deep understanding of iOS security architecture.

The origins of Coruna are murky, but its journey through various threat actor hands is well-documented. Initially observed in February 2025 in use by a customer of a commercial surveillance vendor, the kit was later linked to a suspected Russian espionage group targeting Ukrainian individuals in July 2025. By December 2025, Google obtained a complete copy of the kit even as tracking a financially motivated threat actor operating from China. This chain of custody points to an active market for zero-day exploits, allowing malicious actors to acquire and repurpose powerful hacking tools. As Google noted, this suggests an active market for “second-hand” zero-day exploits, enabling reuse and modification of techniques with newly discovered vulnerabilities.

Technical Details of the Exploited Vulnerabilities

The three vulnerabilities recently added to CISA’s KEV catalog represent a subset of the 23 exploits within Coruna. CVE-2021-30952, internally codenamed “buffout” within the kit, is an integer overflow vulnerability affecting iOS versions up to 15.1.1 and patched in iOS 15.2. An integer overflow occurs when a calculation results in a value that is too large to be stored in the allocated memory space, potentially leading to arbitrary code execution via crafted web content. SC Magazine details this flaw as being fixed with improved input validation.

CVE-2023-41974, dubbed “Parallax” by the Coruna developers, is a use-after-free vulnerability addressed in iOS 17. Use-after-free flaws arise when a program attempts to access memory that has already been freed, potentially allowing attackers to execute arbitrary code with kernel privileges – the highest level of access on the system.

Finally, CVE-2023-43000, known as “terrorbird,” is another use-after-free issue resolved in iOS 16.6. This vulnerability could be exploited through crafted web content to trigger memory corruption. These vulnerabilities, while patched by Apple, remain significant due to their inclusion in a widely circulated exploit kit.

Payload and Targeting

Beyond the initial exploits, Coruna is designed to deliver a sophisticated payload. The kit is capable of targeting financial information and can also load additional modules to exfiltrate cryptocurrency wallets and sensitive data from various applications. The exploit kit fingerprints devices to load the appropriate WebKit remote code execution (RCE) exploit, bypassing platform mitigations and injecting a payload into the ‘powerd’ daemon, which runs as root. SecurityWeek reports that the kit has been observed deploying debug versions, revealing internal code names and details of the exploits.

A Shifting Landscape of Exploit Development

The Coruna exploit kit’s history raises concerns about the increasing commodification of zero-day exploits. The fact that it passed from a surveillance vendor to a suspected Russian espionage group and ultimately to a financially motivated Chinese actor suggests a thriving market where these tools are bought, sold, and repurposed. This trend lowers the barrier to entry for malicious actors and increases the risk of widespread exploitation. The kit’s similarities to frameworks developed by U.S. Government-affiliated threat actors, as noted by iVerify, further complicates the picture, highlighting the potential for overlap and reuse of techniques across different groups.

Implications and Mitigation

The CISA KEV addition mandates that federal agencies address these vulnerabilities within a three-week timeframe, as outlined in Binding Operational Directive (BOD) 22-01. Yet, the broader implications extend to all iOS users. While Apple has released patches for these vulnerabilities, many devices remain unpatched due to user inertia or the unavailability of updates for older models. Users are strongly encouraged to update their devices to the latest iOS version to mitigate the risk of exploitation. The Hacker News provides a comprehensive overview of the kit and its capabilities.

Beyond patching, organizations should implement robust mobile device management (MDM) policies to ensure timely updates and enforce security best practices. Network segmentation and intrusion detection systems can also facilitate to identify and prevent exploitation attempts. The incident serves as a reminder of the importance of a layered security approach and the need for continuous monitoring and threat intelligence gathering.

Looking ahead, the focus will likely be on understanding the full extent of Coruna’s deployment and identifying any additional vulnerabilities it may exploit. Researchers will continue to analyze the kit’s components and develop new mitigation techniques. The incident also underscores the need for greater transparency and collaboration in the vulnerability disclosure process to ensure that security flaws are addressed promptly, and effectively.

Recent Posts

  • Madison Keys vs. Hanne Vandewinkel Live: French Open 2026 TV Schedule and Streaming Guide
  • Our Strict Quality Control Process for Returned Clothing
  • German Business Sentiment Shows Slight Recovery in May According to Ifo Index
  • The 2-week supplement to avoid travel tummy trouble – plus blood clots worries – The Irish Sun
  • Ukraine Achieves Major Battlefield Successes as Russian Casualties Mount

Recent Comments

No comments to show.
List Directory

List-Directory is a comprehensive directory of businesses and services across the United States. Find what you need, when you need it.

Quick Links

  • Home
  • Privacy Policy
  • Terms of Service

Browse by State

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado

Connect With Us

Official social links will appear here when available.

List-directory.com
For contact, advertising, copyright, issues email: [email protected]

Privacy Policy Terms of Service