Inside the Coruna Crisis: How Apple’s iOS Faced Its Most Ruthless Exploit Kit Yet

It started as a whisper in the cyber underground - rumors of a toolkit capable of breaching nearly every iPhone still in use. By March 2026, the world knew its name: Coruna. As the dust settles from the latest Apple security advisories, a chilling truth emerges - no iOS device is too old to matter, and the lines between state espionage and cybercrime have never been blurrier.

Fast Facts

• Coruna is a sophisticated exploit kit with 23 exploits across five attack chains targeting iOS 13.0 to 17.2.1.
• Originally developed for surveillance, Coruna is now used by both nation-state and criminal groups.
• Apple released emergency patches for legacy iOS/iPadOS versions (15.8.7 and 16.7.15) to address critical vulnerabilities.
• Vulnerabilities include one kernel flaw and multiple WebKit exploits, some actively abused in the wild.
• Coruna has been linked to espionage against Ukraine and large-scale fraud by China-linked cybercriminals.

From Spyware to Cybercrime: The Coruna Evolution

Coruna didn’t appear overnight. According to researchers from Google and iVerify, its roots lie in the shadowy world of commercial surveillance vendors - firms that sell hacking tools to governments. Initially, Coruna was a weapon for targeted spying, quietly infiltrating select iPhones in high-stakes intelligence operations.

The kit’s sophistication is undeniable: 23 distinct exploits, woven into five attack chains, enable attackers to bypass Apple’s defenses and seize full control of a device. Remote code execution is just the start - once inside, attackers can install persistent malware, exfiltrate data, and monitor communications undetected.

But the real nightmare began when Coruna leaked from state arsenals into the hands of cybercriminals. By early 2026, evidence surfaced of its use in Russia-linked espionage campaigns against Ukrainian targets. Soon after, China-based fraud groups began weaponizing Coruna to commit large-scale scams, turning a nation-state tool into a mass-market weapon.

Apple’s Unprecedented Response

Apple’s security updates over the past two years quietly addressed many of Coruna’s underlying vulnerabilities in iOS 16 and 17. But with millions still running older devices, the company broke with tradition in March 2026, issuing emergency patches for iOS and iPadOS 15.8.7 and 16.7.15. The new fixes address four critical flaws, including a kernel vulnerability (CVE-2023-41974) and three WebKit bugs that allow malicious websites to seize control of a device.

Notably, while Google reports in-the-wild exploitation, Apple’s advisories remain silent on whether attacks have targeted everyday users. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added several Coruna flaws to its high-risk catalog, underscoring the urgency for all users - especially those on older devices - to update immediately.

Reflections from the Frontlines

The Coruna episode is a sobering reminder: the boundary between elite cyber weapons and everyday crime is vanishing. As exploit kits slip from government control into the hands of profit-driven hackers, every smartphone becomes a potential battleground. Apple’s rare move to patch legacy devices signals both the scale of the threat and the need for relentless vigilance - even for devices that seem left behind by progress.

WIKICROOK

• Exploit Kit: An exploit kit is software that scans devices for vulnerabilities and automatically delivers malware if a weakness is found, enabling efficient cyberattacks.
• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Kernel: The kernel is the core of an operating system, managing hardware and software resources to ensure efficient and secure system operation.
• WebKit: WebKit is the browser engine behind Safari and many Apple apps, responsible for displaying web content and often targeted for security exploits.
• Attack Chain: An attack chain is the series of steps a cyber attacker follows to exploit vulnerabilities and achieve their goals within a target system or network.