Coruna iOS mass exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
The Coruna exploit kit marks the first observed mass exploitation against iOS devices, shifting risk from highly targeted spyware to broad deployment against iPhone users. It combines a device-fingerprinting framework with multiple iOS exploit chains to choose the right WebKit RCE path for each target. The development matters because it shows advanced mobile exploitation being reused at scale rather than confined to isolated surveillance operations.
Cases
Related Happenings
AI-driven attack surge against customer-facing mobile apps in 2026
Target Trend
First: 19.05.2026 15:00
Last: 19.05.2026 15:00
Sources 1
About this happening:
**Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...
AI-driven attack surge against customer-facing mobile apps in 2026
Target TrendAbout this happening: **Customer-facing mobile apps** faced a sharp rise in attacks in **2026**, with **87%** of monitored apps hit versus **55% in 2022**. The trend matters because **agentic AI** is l...
IOS 26.5 beta rolls out default end-to-end encrypted RCS messaging on iPhone and Android
Security Tool/Service
First: 12.05.2026 08:18
Last: 12.05.2026 08:18
Sources 1
About this happening:
Apple's **iOS 26.5** beta adds **default end-to-end encrypted RCS** messaging for **iPhone** and **Android** users, strengthening privacy in cross-platform chats. The rollout cove...
IOS 26.5 beta rolls out default end-to-end encrypted RCS messaging on iPhone and Android
Security Tool/ServiceAbout this happening: Apple's **iOS 26.5** beta adds **default end-to-end encrypted RCS** messaging for **iPhone** and **Android** users, strengthening privacy in cross-platform chats. The rollout cove...
Apple iOS 18.7.7 security update expansion for DarkSword
Security Patch Release
First: 02.04.2026 00:50
Last: 02.04.2026 00:50
Sources 1
About this happening:
Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...
Apple iOS 18.7.7 security update expansion for DarkSword
Security Patch ReleaseAbout this happening: Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...
Operation Triangulation updated iPhone espionage campaign
Campaign
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical Analysis
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
**Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical AnalysisAbout this happening: **Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Timeline
-
04.03.2026 15:28 2 articles · 2mo ago
Coruna iOS exploit kit identified across Apple iPhone targets
Initial DisclosureGoogle identified Coruna (aka CryptoWaters) as a new and powerful exploit kit targeting Apple iPhone models running iOS 13.0–17.2.1, and GTIG said it contained five full iOS exploit chains and 23 exploits built around device fingerprinting, WebKit RCE exploitation, and a PAC bypass. The same reporting also tied the framework to activity that circulated since February 2025, appeared on compromised Ukrainian websites in July 2025 through a hidden iFrame delivery path, and later surfaced on fake Chinese finance websites in December 2025 without geolocation constraints, while noting that the kit is not effective against the latest iOS.
Show sources
- Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 — thehackernews.com — 04.03.2026 15:28
- Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks — thehackernews.com — 20.03.2026 07:16