Coruna: The iOS Exploit Kit Bringing Nation-State Capabilities to Mass Attacks
Coruna is a modular iOS exploit kit using multiple zero-day chains for full device compromise, persistent data access, and targeted app surveillance. Once exclusive to nation-states, Coruna shows a broader shift: advanced mobile exploitation is now scalable, repeatable, and increasingly accessible.
What is Coruna?
Coruna is a sophisticated iOS exploit framework composed of 23 exploits across five full exploit chains, targeting devices running iOS 13 through 17.2.1.
It enables attackers to move from initial access to full device compromise through a staged, modular architecture:
01
Safari-based Remote Code Execution (RCE) to gain initial access
02
Local Privilege Escalation
to take control of the device
03
Multi-stage implants
injected into trusted iOS processes
04
Dynamic modules
deployed based on apps installed on the device
Unlike traditional spyware campaigns, Coruna is not limited to highly targeted victims. Any user who visits a compromised website on a vulnerable device can be infected. This marks a shift from targeted surveillance to repeatable, scalable mobile exploitation.
Nation-state capabilities are no longer contained
Exploit chains once used for high-value targets are now reusable and scalable
Mobile compromise bypasses traditional controls
Device-level access enables interception of credentials, communications, and enterprise data
Targeting is no longer required
Watering hole delivery means any employee device can become an entry point
Security visibility breaks down
Exploits operate inside legitimate system processes with no standalone malware artifacts
On-Demand Coruna Threat Briefing
iVerify researchers independently analyzed Coruna, including exploit chains, infrastructure, and payload behavior.
WHAT YOU'LL LEARN
How Coruna achieves full device compromise across multiple iOS versions
Why traditional mobile security tools fail to detect it
How modular exploit kits are changing enterprise mobile risk
What organizations must do to detect and respond
How Coruna Works
Coruna uses a multi-stage exploit chain and modular payload delivery system:
Initial Access (Web-Based Exploit)
Delivered via compromised legitimate websites
No one-time links or strict targeting
Triggers Safari-based RCE on vulnerable devices
Privilege Escalation
Exploit chain escalates privileges to gain full device control
Includes environment checks (iOS version, Safari context, anti-analysis signals)
Multi-Stage Implant Deployment
Stage 2 payload executes inside powerd
Stage 3 payload executes inside locationd (CorePayload)
Establishes communication with command-and-control (C2) infrastructure
Modular Surveillance & Data Access
Dynamically loads modules based on installed apps
Injects into processes such as:
imagent (messaging / C2 communication)
SpringBoard (system-level control)
Third-party apps (including crypto wallets and messaging apps)
Data Collection & Exfiltration
Accesses:
Messages and communications
Photos and Apple Notes
App-specific data (including crypto wallets)
Uses legitimate system processes for stealthy exfiltration
Key Characteristics of Coruna
This is not just malware; it's a flexible exploitation platform.
Modular architecture
Dynamically adapts to each device
Process injection
No standalone malicious app or binary
Fileless + low-artifact execution
Minimal traditional indicators
Persistent + transient components
Survives across sessions in some cases
App-aware targeting
Deploys modules based on installed applications
How iVerify Detects Coruna
Coruna is designed to evade traditional detection by:
Avoiding standalone malware processes
Injecting into trusted system services
Using legitimate OS behavior for communication and persistence
Standard log cleaning to hide the exploit chain
Traditional tools—focused on apps, signatures, or policy enforcement—miss this activity.
iVerify takes a fundamentally different approach:
Live Infection Detection
Detects active Coruna infections on iOS and Android devices in real-time and trigger immediate response actions.
Behavioral Analysis
Identify exploitation by monitoring abnormal activity in system processes like powerd, locationd, and imagent.
Threat Hunting
Surface past infections through forensic artifacts, including: crash logs, sysdiagnose data, backup analysis.
Network & C2 Detection
Detect suspicious communication patterns, including: abnormal user agents across system processes, unexpected network activity from non-networking services.
Forensic Indicators
Validate compromise using: file system artifacts (temporary and persistent), safari history (infection domains), log anomalies and thread activity.
Historical Validation
Determine whether devices were previously compromised, even before patches were applied.
Executive Brief: Coruna Threat Intelligence
Get a concise, executive-ready breakdown of Coruna and its implications for enterprise security.
KEY TAKEAWAYS INCLUDE:
Overview of Coruna's exploit chains and modular architecture
How nation-state capabilities are scaling into broader use
Enterprise risk and business impact
Recommended strategies for detection and response
Protect Your Organization from Advanced Mobile Expoits
Coruna demonstrates how quickly advanced mobile threats are evolving—from targeted surveillance tools to scalable attack frameworks. Organizations that rely on traditional mobile security approaches lack the visibility needed to detect these threats.
See how your organization could detect Coruna, with a free trial of iVerify.
Coruna FAQs
Who is targeted by Coruna?
What makes Coruna different from traditional mobile malware?
What data can Coruna access?
Does Coruna require user interaction?
Can Coruna bypass enterprise security controls like MFA?
Does Coruna leave evidence on the device?
How does iVerify detect Coruna?