Google researchers have uncovered Coruna, an exploit kit containing 23 zero-day vulnerabilities that have been used by multiple hacking groups targeting iOS devices. The kit, which includes five complete exploit chains, was discovered after a threat actor accidentally deployed a debug version revealing internal code names and techniques. The vulnerabilities affected iPhone models running iOS versions from 13.0 to 17.2.1, spanning a period from 2019 to 2023.

The exploit kit's proliferation across three distinct hacking groups—including a surveillance vendor customer, a suspected Russian espionage group targeting Ukrainians, and a financially motivated Chinese actor—suggests an active market for "second-hand" zero-day exploits. Google retrieved hundreds of samples, including complete exploit kits and payloads, revealing the sophisticated nature of these attacks. The vulnerabilities include WebContent read/write exploits, PAC bypass techniques, sandbox escapes, and privilege escalation methods.

CISA has added only three of the 23 CVEs to its catalog of known exploited vulnerabilities, directing federal agencies to apply vendor mitigations or discontinue use of affected products. The agency warns these vulnerabilities pose significant risks to the federal enterprise as frequent attack vectors for malicious cyber actors. Apple has patched most of these vulnerabilities in subsequent iOS updates, but the discovery highlights the ongoing challenges of securing mobile devices against sophisticated, multi-group exploitation campaigns.