Coruna can also be notable for its use by three distinct hacking groups. Google first detected its use in February of last 12 months in an operation conducted by a “customer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in attacks planted on web sites that were frequented by Ukrainian targets. Last December, when it was utilized by a “financially motivated threat actor from China,” Google was capable of retrieve the entire exploit kit.
“How this proliferation occurred is unclear, but suggests an lively marketplace for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that might be re-used and modified with newly identified vulnerabilities.”
Google researchers went on to jot down:
We retrieved all of the obfuscated exploits, including ending payloads. Upon further evaluation, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving within the clear the entire exploits, including their internal code names. That’s after we learned that the exploit kit was likely named Coruna internally. In total, we collected a couple of hundred samples covering a complete of 5 full iOS exploit chains. The exploit kit is capable of goal various iPhone models running iOS version 13.0 (released in September 2019) as much as version 17.2.1 (released in December 2023).
The 23 exploits, together with the code names and other information, are:
| Type | Codename | Targeted versions (inclusive) | Fixed versions | CVE |
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | No CVE |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
| WebContent PAC bypass | breezy | 13 → 14.x | ? | No CVE |
| WebContent PAC bypass | breezy15 | 15 → 16.2 | ? | No CVE |
| WebContent PAC bypass | seedbell | 16.3 → 16.5.1 | ? | No CVE |
| WebContent PAC bypass | seedbell_16_6 | 16.6 → 16.7.12 | ? | No CVE |
| WebContent PAC bypass | seedbell_17 | 17 → 17.2.1 | ? | No CVE |
| WebContent sandbox escape | IronLoader | 16.0 → 16.3.116.4.0 (<= A12) | 15.7.8, 16.5 | CVE-2023-32409 |
| WebContent sandbox escape | NeuronLoader | 16.4.0 → 16.6.1 (A13-A16) | 17.0 | No CVE |
| PE | Neutron | 13.X | 14.2 | CVE-2020-27932 |
| PE (infoleak) | Dynamo | 13.X | 14.2 | CVE-2020-27950 |
| PE | Pendulum | 14 → 14.4.x | 14.7 | No CVE |
| PE | Photon | 14.5 → 15.7.6 | 15.7.7, 16.5.1 | CVE-2023-32434 |
| PE | Parallax | 16.4 → 16.7 | 17.0 | CVE-2023-41974 |
| PE | Gruber | 15.2 → 17.2.1 | 16.7.6, 17.3 | No CVE |
| PPL Bypass | Quark | 13.X | 14.5 | No CVE |
| PPL Bypass | Gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
| PPL Bypass | Carbone | 15.0 → 16.7.6 | 17.0 | No CVE |
| PPL Bypass | Sparrow | 17.0 → 17.3 | 16.7.6, 17.4 | CVE-2024-23225 |
| PPL Bypass | Rocket | 17.1 → 17.4 | 16.7.8, 17.5 | CVE-2024-23296 |
CISA is adding only three of the CVEs to its catalog. They’re:
- CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
- CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
- CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability
CISA is directing agencies to “apply mitigations per vendor instructions, follow applicable… guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The agency went on to warn: “All these vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”