Tuesday , July 14 2026
Coruna

Thousands of iPhones likely Compromised via Coruna Exploit Kit with 23 Vulns

Google’s Threat Intelligence Group found Coruna, a complex iOS exploit kit with 23 exploits in five chains, affecting thousands of iPhones on iOS 13.0 to 17.2.1 in 2025. The Coruna exploit kit is a sophisticated iOS attack tool by GTIG that targets iPhones from iOS 13.0 (September 2019) to iOS 17.2.1 (December 2023).

“A highly sophisticated set of iPhone hijacking techniques has likely infected tens of thousands of phones or more. Clues suggest it was originally built for the US government” according to Wired.

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

Three-Phase Exploit Timeline:

GTIG observed Coruna moving through three different groups of threat actors over the course of 2025, a rare window into how elite exploit kits proliferate from commercial surveillance vendors to state-sponsored espionage groups and finally to financially motivated criminals.

February 2025 – Commercial Surveillance Customer: GTIG discovered an iOS exploit chain using a new JavaScript framework with unique obfuscation. This framework identified the iPhone model and iOS version before executing a WebKit remote code execution (RCE) exploit and bypassing Pointer Authentication Code (PAC).

Summer 2025 – Russian Espionage (UNC6353): A similar JavaScript framework was discovered on cdn.uacounter[.]com, hidden in iFrames on many compromised Ukrainian websites in various sectors. Attacks targeted iPhone users based on their geolocation. GTIG informed CERT-UA to address the affected sites.

Late 2025 – Chinese Financial Fraud (UNC6691): A full exploit kit was found within a network of fake Chinese financial and crypto websites targeting iOS users. One fake WEEX crypto exchange site even showed pop-ups encouraging users to visit on their iPhones.

The Exploits and Their Code Names

Type Codename Targeted versions (inclusive) Fixed version CVE
WebContent R/W buffout 13 → 15.1.1 15.2 CVE-2021-30952
WebContent R/W jacurutu 15.2 → 15.5 15.6 CVE-2022-48503
WebContent R/W bluebird 15.6 → 16.1.2 16.2 No CVE
WebContent R/W terrorbird 16.2 → 16.5.1 16.6 CVE-2023-43000
WebContent R/W cassowary 16.6 → 17.2.1 16.7.5, 17.3 CVE-2024-23222
WebContent PAC bypass breezy 13 → 14.x ? No CVE
WebContent PAC bypass breezy15 15 → 16.2 ? No CVE
WebContent PAC bypass seedbell 16.3 → 16.5.1 ? No CVE
WebContent PAC bypass seedbell_16_6 16.6 → 16.7.12 ? No CVE
WebContent PAC bypass seedbell_17 17 → 17.2.1 ? No CVE
WebContent sandbox escape IronLoader 16.0 → 16.3.116.4.0 (<= A12) 15.7.8, 16.5 CVE-2023-32409
WebContent sandbox escape NeuronLoader 16.4.0 → 16.6.1 (A13-A16) 17.0 No CVE
PE Neutron 13.X 14.2 CVE-2020-27932
PE (infoleak) Dynamo 13.X 14.2 CVE-2020-27950
PE Pendulum 14 → 14.4.x 14.7 No CVE
PE Photon 14.5 → 15.7.6 15.7.7, 16.5.1 CVE-2023-32434
PE Parallax 16.4 → 16.7 17.0 CVE-2023-41974
PE Gruber 15.2 → 17.2.1 16.7.6, 17.3 No CVE
PPL Bypass Quark 13.X 14.5 No CVE
PPL Bypass Gallium 14.x 15.7.8, 16.6 CVE-2023-38606
PPL Bypass Carbone 15.0 → 16.7.6 17.0 No CVE
PPL Bypass Sparrow 17.0 → 17.3 16.7.6, 17.4 CVE-2024-23225
PPL Bypass Rocket 17.1 → 17.4 16.7.8, 17.5 CVE-2024-23296
Table 1: Table with mapping CVE to code names
GTIG has added all identified domains to Google Safe Browsing, and researchers confirmed that the Coruna exploit kit does not work on the latest iOS versions. Users should update their iPhones to the latest iOS for protection. If updating isn’t possible, enabling Lockdown Mode is advised, as Coruna avoids detection in this mode. Users should also refrain from visiting unverified financial and cryptocurrency sites in mobile Safari. Organizations should monitor for unusual network requests to .xyz domains and watch for suspicious HTTP headers like “sdkv” and “x-ts” as possible command-and-control indicators.

Check Also

CrowdStrike

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI …