fraud

Coruna: the exploit kit redefining risk in mobile security

SmartID · March 13, 2026 · 4 min read
Coruna: the exploit kit redefining risk in mobile security

A toolkit containing 23 exploits capable of compromising iPhones directly from the browser is changing how we must think about mobile security.

For years, Apple’s ecosystem has been perceived as one of the most secure mobile environments. However, the discovery of the Coruna exploit kit, publicly documented by security researchers in 2026, shows that even highly protected platforms can become targets for attackers.

Research from the Google Threat Intelligence Group revealed that Coruna is one of the most sophisticated iOS exploitation frameworks documented to date.

Researchers traced activity related to this framework back to 2025, when targeted campaigns began using these exploit chains to compromise mobile devices through malicious websites.

What is Coruna?

Coruna is an exploit kit designed to compromise iPhone devices by leveraging multiple vulnerabilities within the iOS operating system.

The framework includes 23 exploits organized into five attack chains, allowing operators to automatically select the most effective technique depending on the target device and its operating system version.

Tools like this significantly reduce the complexity of executing advanced attacks. Instead of developing exploits from scratch, attackers can rely on a ready-made framework that automates the exploitation process and increases the success rate of attacks.

The vulnerabilities used by Coruna primarily affected devices running iOS versions 13.0 through 17.2.1, released between 2019 and 2023, meaning that millions of devices may have been potentially exposed for several years.

How the attack works?

Coruna follows an architecture similar to other exploit kits used in web-based attacks, but adapted to the mobile ecosystem.

1. Device identification

The attack typically begins when a victim visits a compromised website or one controlled by attackers.

Scripts executed in the browser analyze the device to identify:

  1. iPhone model
  2. operating system version
  3. browser characteristics
  4. execution environment

This device fingerprinting process determines whether the system is vulnerable and automatically selects the most effective exploit chain.

2. Exploit chain execution

Once the device is identified, the exploit kit launches a chain of vulnerabilities that may include:

  • flaws in the WebKit engine used by Safari
  • sandbox escape vulnerabilities
  • kernel privilege escalation techniques

By combining these vulnerabilities, attackers can move from a simple script running in a web page to privileged control inside the device’s operating system.

3. Device compromise

After compromising the system, the attacker can deploy a malicious payload or directly access sensitive information stored on the device.

Depending on the campaign, the objective may include:

  • digital surveillance
  • credential theft
  • access to financial information
  • extraction of data from installed applications

In some campaigns observed between 2025 and 2026, operators used Coruna to steal credentials and data associated with cryptocurrency wallets, demonstrating its potential use in financially motivated attacks.

From surveillance tool to cybercrime

One of the most concerning aspects of Coruna is its evolution.

Researchers observed the same framework appearing across different types of operations:

  • digital surveillance campaigns
  • targeted geopolitical attacks
  • criminal campaigns focused on financial theft

As these frameworks become more accessible, the technical barrier required to execute sophisticated attacks decreases, allowing more threat actors to leverage capabilities that were previously limited to highly specialized groups.

What Coruna reveals about digital security

The Coruna case highlights an important shift in how we should understand mobile security.

For years, many security architectures assumed that mobile devices particularly within the iOS ecosystem were relatively trustworthy environments. However, exploitation frameworks like Coruna demonstrate that device integrity can no longer be taken for granted.

Today, an attacker can compromise a device through a simple visit to a malicious website and operate from an environment that appears to applications as a legitimate session.

In this context, solutions like SmartID help analyze these signals in real time to identify compromised devices, manipulated environments, or malicious automation, even when valid credentials are used.

Subscribe to receive more insights on digital identity, fraud prevention, and cybersecurity trends.

You can also book a 30-minute session with a SmartID specialist to explore how device intelligence and identity signals can help detect compromised environments and high-risk sessions.

Back to articles