Find notable cyber news and cases, enriched with sources, timelines, and signals.

Coruna (CryptoWaters) iOS exploit kit targeting iOS 13.0–17.2.1

Malware Activity
First reported
Last updated
Happening score
H score 34
3 unique sources, 3 articles

Summary

Hide ▲

The Coruna iOS exploit kit is a continuously maintained successor to the Operation Triangulation framework and now incorporates five iOS exploit chains across 23 vulnerabilities. Kaspersky said the kit includes updated exploit code for CVE-2023-32434 and CVE-2023-38606, with explicit support for Apple A17 and M3 hardware and targeting up to iOS 17.2. The framework begins in Safari, fingerprints the device, selects matching RCE and PAC exploits, and then deploys the spyware payload. It has also been observed in financially motivated cryptocurrency theft campaigns, showing use beyond the original espionage context.

Related Happenings

Apple iOS, macOS, and Safari security updates (multiple vulnerabilities)

Security Patch Release
H score33 First: 30.06.2026 10:15 Last: 30.06.2026 10:15 Sources 1

About this happening: **Apple** released security updates for **iOS**, **macOS**, and **Safari** that fix **over three dozen flaws**, including **four WebKit vulnerabilities**. The update bundle covers...

WebKit memory corruption, out-of-bounds write, and use-after-free flaws (multiple vulnerabilities)

Vulnerability
H score1 First: 30.06.2026 10:15 Last: 30.06.2026 10:15 Sources 1

About this happening: **WebKit** now has four patched vulnerabilities, including **CVE-2026-43707**, **CVE-2026-43716**, **CVE-2026-43745**, and **CVE-2026-43715**, that can be triggered by **malicious...

Apple Passwords app and Safari add Apple Intelligence-powered automatic password repair

Security Tool/Service
H score10 First: 09.06.2026 00:03 Last: 09.06.2026 00:03 Sources 1

About this happening: **Apple Passwords app** and **Safari** are adding an **Apple Intelligence** feature that can automatically repair weak or compromised passwords, reducing password-hygiene risk for...

Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass

Technical Analysis
H score45 First: 06.06.2026 11:29 Last: 06.06.2026 11:29 Sources 1

About this happening: Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...

Apple and Google Messages beta rollout of cross-platform E2EE RCS

Security Tool/Service
H score11 First: 12.05.2026 16:00 Last: 12.05.2026 16:00 Sources 1

About this happening: Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...

Timeline

  1. 26.03.2026 15:10 1 articles · 3mo ago

    Kaspersky updates Coruna lineage to Operation Triangulation

    Technical Analysis Update

    Kaspersky researchers said Coruna is a continuously maintained successor to the original Operation Triangulation iPhone framework, with updated kernel exploit code for CVE-2023-32434 and CVE-2023-38606, explicit support for Apple's A17 and M3 chips, and targeting up to iOS 17.2.

    Show sources
  2. 05.03.2026 14:15 1 articles · 4mo ago

    UNC6691 uses Coruna in broader iPhone campaigns

    Campaign Scope Update

    Coruna reappeared in broader campaigns tied to UNC6691, a financially motivated actor operating from China, and a hidden frame silently delivered the exploit kit to visiting iPhones.

    Show sources
  3. 04.03.2026 15:28 1 articles · 4mo ago

    Google identifies Coruna iOS exploit kit

    Initial Disclosure

    Google identified Coruna (aka CryptoWaters), a browser-delivered exploit kit targeting Apple iPhone models running iOS 13.0–17.2.1, and GTIG said it contains five full iOS exploit chains and 23 exploits. The framework fingerprints the device to select the appropriate WebKit RCE exploit and PAC bypass, and Google said it had circulated since February 2025 while not being effective against the latest iOS.

    Show sources