Coruna can be notable for its use by three distinct hacking teams. Google first detected its use in February of final 12 months in an operation performed by a “buyer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in assaults planted on web sites that have been frequented by Ukrainian targets. Final December, when it was utilized by a “financially motivated menace actor from China,” Google was capable of retrieve the whole exploit equipment.
“How this proliferation occurred is unclear, however suggests an lively marketplace for ‘second hand’ zero-day exploits,” Google wrote. “Past these recognized exploits, a number of menace actors have now acquired superior exploitation methods that may be re-used and modified with newly recognized vulnerabilities.”
Google researchers went on to write down:
We retrieved all of the obfuscated exploits, together with ending payloads. Upon additional evaluation, we seen an occasion the place the actor deployed the debug model of the exploit equipment, leaving within the clear all the exploits, together with their inside code names. That’s after we discovered that the exploit equipment was seemingly named Coruna internally. In complete, we collected a number of hundred samples overlaying a complete of 5 full iOS exploit chains. The exploit equipment is ready to goal numerous iPhone fashions working iOS model 13.0 (launched in September 2019) as much as model 17.2.1 (launched in December 2023).
The 23 exploits, together with the code names and different info, are:
| Kind | Codename | Focused variations (inclusive) | Fastened variations | CVE |
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | No CVE |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
| WebContent PAC bypass | breezy | 13 → 14.x | ? | No CVE |
| WebContent PAC bypass | breezy15 | 15 → 16.2 | ? | No CVE |
| WebContent PAC bypass | seedbell | 16.3 → 16.5.1 | ? | No CVE |
| WebContent PAC bypass | seedbell_16_6 | 16.6 → 16.7.12 | ? | No CVE |
| WebContent PAC bypass | seedbell_17 | 17 → 17.2.1 | ? | No CVE |
| WebContent sandbox escape | IronLoader | 16.0 → 16.3.116.4.0 (<= A12) | 15.7.8, 16.5 | CVE-2023-32409 |
| WebContent sandbox escape | NeuronLoader | 16.4.0 → 16.6.1 (A13-A16) | 17.0 | No CVE |
| PE | Neutron | 13.X | 14.2 | CVE-2020-27932 |
| PE (infoleak) | Dynamo | 13.X | 14.2 | CVE-2020-27950 |
| PE | Pendulum | 14 → 14.4.x | 14.7 | No CVE |
| PE | Photon | 14.5 → 15.7.6 | 15.7.7, 16.5.1 | CVE-2023-32434 |
| PE | Parallax | 16.4 → 16.7 | 17.0 | CVE-2023-41974 |
| PE | Gruber | 15.2 → 17.2.1 | 16.7.6, 17.3 | No CVE |
| PPL Bypass | Quark | 13.X | 14.5 | No CVE |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
| PPL Bypass | Carbone | 15.0 → 16.7.6 | 17.0 | No CVE |
| PPL Bypass | Sparrow | 17.0 → 17.3 | 16.7.6, 17.4 | CVE-2024-23225 |
| PPL Bypass | Rocket | 17.1 → 17.4 | 16.7.8, 17.5 | CVE-2024-23296 |
CISA is including solely three of the CVEs to its catalog. They’re:
- CVE-2021-30952 Apple A number of Merchandise Integer Overflow or Wraparound Vulnerability
- CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
- CVE-2023-43000 Apple A number of merchandise Use-After-Free Vulnerability
CISA is directing companies to “apply mitigations per vendor directions, comply with relevant… steering for cloud providers, or discontinue use of the product if mitigations are unavailable.” The company went on to warn: “These kind of vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise.”
