Campaign Exploitation Wave Security Patch Release Vulnerability

Coruna iPhone exploitation and Apple response

Updated 26.03.2026 13:07

Case score 63

Case score 63 Members 5 Latest activity 26.03.2026 13:07 Active exploitation Patch available

Active exploitation Patch available

Members 5 First seen 04.03.2026 15:28 Last seen 26.03.2026 13:07 Updated 26.03.2026 13:07

Overview

Coruna is being reused against **iPhone** users through watering-hole and lure-site delivery, with UNC6353 tied to compromised Ukrainian websites and UNC6691 tied to fake gambling and crypto pages. The kit fingerprints the device and iOS version before selecting an exploit path, and it will not run when **Lockdown Mode** or private browsing is enabled. The activity spans five exploit chains and 23 exploits across older iOS and iPadOS versions, including **CVE-2024-23222** and older WebKit and kernel flaws such as **CVE-2023-43010**. Apple has backported fixes for legacy devices and Google has blocked identified infrastructure, but available evidence still does not quantify the full reach of compromise.

Key facts

**Coruna** is being used against **iPhone** users through watering-hole and lure-site delivery, with UNC6353 tied to compromised Ukrainian websites and UNC6691 tied to fake gambling and crypto pages.
The framework uses **five full exploit chains** and **23 exploits**, and it fingerprints the device and iOS version before choosing an exploit path.
The activity includes exploitation of **CVE-2024-23222** and earlier Apple flaws including **CVE-2023-43010**, **CVE-2023-32434**, and **CVE-2023-38606**.
Apple backported the **CVE-2023-43010** fix to **iOS 15.8.7**, **iPadOS 15.8.7**, **iOS 16.7.15**, and **iPadOS 16.7.15** for older devices that could not move to newer releases.
Google added identified sites and domains to **Safe Browsing** and advised updating iOS or enabling **Lockdown Mode** where updating is not possible.
Available evidence does not quantify compromise totals, and the full reach of the abuse remains unknown.

Malware context

5 families · 5 tools

Tools

Coruna DarkSword Gallium iVerify Photon

Signals

12 derived

Exploitation

Exploitation Active exploitation

Affected impact

Containment Unknown

CVEs/products

CVE CVE CVE CVE

Victims/regions

Attacker region United States Victim region Ukraine

Remediation

Remediation Patch available

Threat context

Threat context Coruna Actor UNC6353 Actor UNC6691

Member happenings

5 related

Campaign UNC6353 and UNC6691 Coruna iOS exploit campaign

Updated 04.03.2026 21:06 Lead Contribution 58

Campaign Active

The **Coruna** iOS exploit campaign spread through **watering-hole** and **fake finance/crypto** lures, extending reach from **iPhone users** to **crypto users**. **UNC6353** used the framework against compromised Ukrainian websites in **summer 2025**, and **UNC6691** later tied it to fake gambling and crypto sites in **late 2025**. The shift matters because the same exploit kit was reused across **espionage** and **financial theft** operations, broadening the risk to ordinary mobile users. The kit also selected exploit chains by device fingerprint and could stop when **Lockdown Mode** or private browsing was enabled.

View happening

Campaign Coruna watering-hole and fake-site exploitation campaign

Updated 26.03.2026 13:07 Scoring Support Contribution 3

Campaign Active

A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyond its original precision-espionage role. The operation steers users who visit compromised or lure websites through a browser-fingerprinting exploit chain that can select the right payload and deliver **PlasmaLoader (aka PLASMAGRID)**. That broadens risk for **unpatched Apple iPhone** users and shows how a once-targeted framework can be repurposed for wider abuse.

View happening

Exploitation Wave Coruna iOS mass exploitation wave

Updated 04.03.2026 15:28 Scoring Support Contribution 2

Exploitation Active Exploitation Patch Patch Available

The **Coruna** exploit kit marks the **first observed mass exploitation against iOS devices**, shifting risk from highly targeted spyware to **broad deployment** against **iPhone users**. It combines a **device-fingerprinting framework** with multiple iOS exploit chains to choose the right **WebKit RCE** path for each target. The development matters because it shows advanced mobile exploitation being reused at scale rather than confined to isolated surveillance operations.

View happening

Security Patch Release Apple security patch release for CVE-2023-43010

Updated 12.03.2026 11:58 Context

Exploitation Active Exploitation Urgency High Patch Patch Available

**Apple** backported **Coruna-linked WebKit fixes** to **older iOS and iPadOS devices**, reducing exposure on legacy hardware that cannot move to the latest release. The update extends protection for **CVE-2023-43010** and related flaws to iPhones and iPads left behind by newer versions. It matters because the flaw was used in an exploit kit that could process **malicious web content** and trigger **memory corruption**.

View happening

Vulnerability WebKit memory-corruption flaw actively exploited (CVE-2023-43010)

Updated 12.03.2026 11:58 Context

Exploitation Active Exploitation Patch Patch Available

Older **iPhone and iPad** devices received the **CVE-2023-43010** fix, extending protection against a **WebKit memory-corruption flaw** used in the **Coruna exploit kit**. The bug could be triggered by **maliciously crafted web content**, creating risk for browser-driven code execution on affected systems. The backport covers **iOS 15.8.7**, **iPadOS 15.8.7**, **iOS 16.7.15**, and **iPadOS 16.7.15** for devices that cannot move to newer releases. Apple said the issue had already been fixed in **iOS 17.2** on **December 11th, 2023**.

View happening