<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple </span><span style="vertical-align: baseline;">iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023)</span><span style="vertical-align: baseline;">. </span><span style="vertical-align: baseline;">The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. </span><span style="vertical-align: baseline;">The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. </span></p> <p><span style="vertical-align: baseline;">The Coruna exploit kit provides </span><a href="https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">another example of how sophisticated capabilities proliferate</span></a><span style="vertical-align: baseline;">. Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a </span><a href="https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors_-_TAG_report.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">surveillance vendor</span></a><span style="vertical-align: baseline;">, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. We then retrieved the complete exploit kit when i

Read Full Article at Mandiant Blog →