Google Threat Intelligence Group has identified a powerful exploit kit dubbed Coruna (aka CryptoWaters) targeting iPhones running iOS versions between 13.0 and 17.2.1. The kit features five full iOS exploit chains and a total of 23 exploits, making it one of the most sophisticated iOS attack frameworks ever observed outside of nation-state operations.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,” Google said. The framework surrounding the kit is “extremely well engineered.”
The kit circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally to a financially motivated actor operating from China — demonstrating an active secondary market for zero-day exploits.
Kaspersky found that Coruna is an evolution of the framework used in Operation Triangulation, the sophisticated zero-click iMessage spyware campaign first uncovered in June 2023. It marks the first observed mass exploitation against iOS devices, signaling that spyware attacks are shifting from highly targeted to broad deployment.