Coruna (CryptoWaters) iOS exploit kit targeting iOS 13.0–17.2.1
Malware Activity
Summary
Hide ▲
Show ▼
The Coruna iOS exploit kit is a continuously maintained successor to the Operation Triangulation framework and now incorporates five iOS exploit chains across 23 vulnerabilities. Kaspersky said the kit includes updated exploit code for CVE-2023-32434 and CVE-2023-38606, with explicit support for Apple A17 and M3 hardware and targeting up to iOS 17.2. The framework begins in Safari, fingerprints the device, selects matching RCE and PAC exploits, and then deploys the spyware payload. It has also been observed in financially motivated cryptocurrency theft campaigns, showing use beyond the original espionage context.
Related Happenings
Apple and Google Messages beta rollout of cross-platform E2EE RCS
Security Tool/Service
First: 12.05.2026 16:00
Last: 12.05.2026 16:00
Sources 1
About this happening:
Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...
Apple and Google Messages beta rollout of cross-platform E2EE RCS
Security Tool/ServiceAbout this happening: Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...
IOS 26.5 beta rolls out default end-to-end encrypted RCS messaging on iPhone and Android
Security Tool/Service
First: 12.05.2026 08:18
Last: 12.05.2026 08:18
Sources 1
About this happening:
Apple's **iOS 26.5** beta adds **default end-to-end encrypted RCS** messaging for **iPhone** and **Android** users, strengthening privacy in cross-platform chats. The rollout cove...
IOS 26.5 beta rolls out default end-to-end encrypted RCS messaging on iPhone and Android
Security Tool/ServiceAbout this happening: Apple's **iOS 26.5** beta adds **default end-to-end encrypted RCS** messaging for **iPhone** and **Android** users, strengthening privacy in cross-platform chats. The rollout cove...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
**MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...
Google integrates Rust DNS parser into Pixel modem firmware
Security Tool/Service
First: 14.04.2026 13:21
Last: 14.04.2026 13:21
Sources 1
About this happening:
Google is **integrating a Rust-based DNS parser** into **Pixel modem firmware**, reducing memory-safety risk in a **remote cellular attack surface**. The change matters because th...
Google integrates Rust DNS parser into Pixel modem firmware
Security Tool/ServiceAbout this happening: Google is **integrating a Rust-based DNS parser** into **Pixel modem firmware**, reducing memory-safety risk in a **remote cellular attack surface**. The change matters because th...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware Activity
First: 03.04.2026 12:10
Last: 03.04.2026 12:10
Sources 1
About this happening:
The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware ActivityAbout this happening: The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
Timeline
-
26.03.2026 15:10 1 articles · 2mo ago
Kaspersky updates Coruna lineage to Operation Triangulation
Technical Analysis UpdateKaspersky researchers said Coruna is a continuously maintained successor to the original Operation Triangulation iPhone framework, with updated kernel exploit code for CVE-2023-32434 and CVE-2023-38606, explicit support for Apple's A17 and M3 chips, and targeting up to iOS 17.2.
Show sources
- Coruna iOS exploit framework linked to Triangulation attacks — www.bleepingcomputer.com — 26.03.2026 15:10
-
05.03.2026 14:15 1 articles · 2mo ago
UNC6691 uses Coruna in broader iPhone campaigns
Campaign Scope UpdateCoruna reappeared in broader campaigns tied to UNC6691, a financially motivated actor operating from China, and a hidden frame silently delivered the exploit kit to visiting iPhones.
Show sources
- Coruna Exploit Kit Targets Older iPhones in Multi-Stage Campaigns — www.infosecurity-magazine.com — 05.03.2026 14:15
-
04.03.2026 15:28 1 articles · 2mo ago
Google identifies Coruna iOS exploit kit
Initial DisclosureGoogle identified Coruna (aka CryptoWaters), a browser-delivered exploit kit targeting Apple iPhone models running iOS 13.0–17.2.1, and GTIG said it contains five full iOS exploit chains and 23 exploits. The framework fingerprints the device to select the appropriate WebKit RCE exploit and PAC bypass, and Google said it had circulated since February 2025 while not being effective against the latest iOS.
Show sources
- Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 — thehackernews.com — 04.03.2026 15:28