3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Coruna Exploit Kit

Coruna Exploit Kit

ID: d607f878b4c740c3ddd2289562a16a6c39250
Crimeware Exploit Kit
Threat types: Malware, Exploit Kit, iOS Exploit Kit, Exploitation Framework
China CHN, UKR
Updated: 2026-03-22
Created: 2026-03-19
Progress: 84% Completeness: 82% Freshness: 90%
Operation zone: China, Ukraine
Aliases Limited alias preview
Coruna The Coruna Exploit Kit
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Coruna is a sophisticated iOS exploit kit publicly disclosed in 2026 and observed across surveillance, suspected Russian espionage, and financially motivated Chinese-linked campaigns. It delivers browser-based exploitation against iPhones on iOS 13.0 through 17.2.1 using device fingerprinting, hidden iFrames, staged loaders, and modular post-exploitation.


Technique Technique name Tactics Evidence
T1189 Drive-by Compromise TA0001
  • 2026-03-03 — Public reporting states Coruna was delivered through malicious or compromised websites and hidden iFrames targeting iPhone browsers. · ref
  • 2026-03-03 — Public reporting describes fake Chinese finance and cryptocurrency websites delivering the exploit kit to iOS visitors. · ref
T1592 Gather Victim Host Information TA0043
  • 2026-03-03 — Public reporting says the framework performs device fingerprinting to determine whether the device is real and which iPhone model and iOS version it is running. · ref
  • 2026-03-03 — INFERENCE (confidence: high): This fingerprinting directly supports exploit-chain selection and selective targeting logic. · ref
T1027 Obfuscated Files or Information TA0005
  • 2026-03-03 — Public reporting describes obfuscated JavaScript, hashed resource addressing, ChaCha20-encrypted blobs, and compressed packaging in the framework. · ref
  • 2026-03-03 — Community deobfuscation work exists for Coruna-related JavaScript and blobs, reinforcing the importance of obfuscation in the framework’s delivery logic. · ref
T1203 Exploitation for Client Execution TA0002
  • 2026-03-03 — Public reporting documents use of WebKit RCE exploits against vulnerable iOS versions, including CVE-2024-23222 and older vulnerabilities. · ref
  • 2024-01-22 — Apple advisory for CVE-2024-23222 states that processing maliciously crafted web content may lead to arbitrary code execution. · ref
T1620 Reflective Code Loading TA0005
  • 2026-03-03 — INFERENCE (confidence: medium): Public reporting describes a binary loader used to load the appropriate exploit chain post-RCE within WebKit, consistent with staged in-memory loading behavior. · ref
T1497 Virtualization/Sandbox Evasion TA0005 TA0007
  • 2026-03-03 — INFERENCE (confidence: medium): The framework bails out when the device is in Lockdown Mode or the user is in private browsing, reflecting environment-aware gating and evasion-minded operator logic. · ref
T1071.001 Web Protocols TA0011
  • 2026-03-03 — Public reporting states that implants communicate over HTTPS and POST encrypted data, including custom headers in some requests. · ref
T1568.002 Domain Generation Algorithms TA0011
  • 2026-03-03 — Public reporting describes an implant fallback mechanism using a custom domain generation algorithm seeded with the string 'lazarus' to generate predictable domains. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-19T21:05:24+00:00
Coruna Exploit Kit — Multi-actor iOS Exploit Kit / Exploitation Framework

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Cyber / Exploit Kit / Mobile Exploitation Framework — Origin: Unknown (code authorship unknown; public use observed across surveillance, espionage, and financially motivated clusters)

Author: iQBlack CTI Team


Executive Summary

Coruna is a powerful iOS exploit kit publicly disclosed in March 2026. Public reporting indicates that the framework targeted Apple iPhone devices running iOS 13.0 through 17.2.1 and contained five full exploit chains and a total of 23 exploits. The kit appears to have been engineered as a reusable exploitation framework rather than a single campaign-specific package.


The most important analytical feature of Coruna is not only its technical depth, but its apparent proliferation across multiple threat contexts over the course of 2025. Public reporting describes initial use by a customer of a commercial surveillance vendor, later deployment in watering-hole operations against Ukrainian users by a suspected Russian espionage cluster, and subsequent mass use by a financially motivated China-based actor through fake finance and cryptocurrency websites. This progression strongly suggests capability transfer, resale, repurposing, or re-weaponization of an advanced mobile exploitation stack.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Coruna Exploit Kit


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Coruna Exploit Kit

Priority: High for high-risk iPhone users, finance/crypto-themed lure exposure, and Ukrainian / Eastern Europe web ecosystems; Medium elsewhere.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-19T21:07:20+00:00

IOC Appendix — Coruna Exploit Kit

Scope & Caveats

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-19T21:07:40+00:00

OSINT Library — Coruna Exploit Kit


2026-03-03 — Google Threat Intelligence Group — “Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
github.com/mat************* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.