Pierluigi Paganini
March 12, 2026
Apple has released security updates for legacy devices, rolling out iOS and iPadOS 16.7.15 and 15.8.7 to address vulnerabilities tied to the recently disclosed Coruna exploits. The patches aim to protect older iPhone and iPad models that no longer receive the latest major OS versions.
In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1. The kit includes five full exploit chains and a total of 23 exploits.
| Codename | CVE | Type |
|---|---|---|
| buffout | CVE-2021-30952 | WebContent R/W |
| jacurutu | CVE-2022-48503 | WebContent R/W |
| bluebird | No CVE | WebContent R/W |
| terrorbird | CVE-2023-43000 | WebContent R/W |
| cassowary | CVE-2024-23222 | WebContent R/W |
| breezy | No CVE | WebContent PAC bypass |
| breezy15 | No CVE | WebContent PAC bypass |
| seedbell | No CVE | WebContent PAC bypass |
| seedbell_16_6 | No CVE | WebContent PAC bypass |
| seedbell_17 | No CVE | WebContent PAC bypass |
| IronLoader | CVE-2023-32409 | WebContent sandbox escape |
| NeuronLoader | No CVE | WebContent sandbox escape |
| Neutron | CVE-2020-27932 | PE |
| Dynamo | CVE-2020-27950 | PE (infoleak) |
| Pendulum | No CVE | PE |
| Photon | CVE-2023-32434 | PE |
| Parallax | CVE-2023-41974 | PE |
| Gruber | No CVE | PE |
| Quark | No CVE | PPL Bypass |
| Gallium | CVE-2023-38606 | PPL Bypass |
| Carbone | No CVE | PPL Bypass |
| Sparrow | CVE-2024-23225 | PPL Bypass |
| Rocket | CVE-2024-23296 | PPL Bypass |
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
GTIG tracked the use of the exploit in highly targeted attacks by a surveillance vendor’s customer, in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits. Multiple threat actors now reuse and adapt these advanced techniques for new vulnerabilities.
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
The Coruna exploit kit relies on a highly engineered framework that links all components through shared utilities and custom loaders. It avoids devices in Lockdown Mode or private browsing, derives resource URLs from a hard-coded cookie, and delivers WebKit RCE and PAC bypasses in clear form. After exploitation, a binary loader deploys encrypted, compressed payloads disguised as .min.js files, tailored to specific chips and iOS versions. In total, the kit includes 23 exploits covering iOS 13 through 17.2.1, with advanced mitigation bypasses and reusable modules for defeating memory and kernel protections.
At the end of the chain, a stager called PlasmaLoader injects into a root daemon and deploys a financially focused payload.
The malware scans for crypto wallets, backup phrases, and banking data, exfiltrating sensitive information and loading additional modules from command-and-control servers. It targets numerous cryptocurrency apps, uses encrypted communications, and falls back on a custom domain generation algorithm seeded with “lazarus” to maintain persistence.
Apple released iOS and iPadOS 15.8.7 for older devices to patch vulnerabilities previously fixed in newer versions of iOS and iPadOS. Version 15.8.7 fixes CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010.
“This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version.” reads the advisory published by Apple.
Meanwhile, version 16.7.15 patches the WebKit vulnerability CVE-2023-43010.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Apple)
