Apple Issues Emergency Fixes For Coruna Flaws In Older IOS Versions

Apple released iOS 16.7.15 and 15.8.7 updates for older iPhones and iPads to patch vulnerabilities linked to the Coruna exploits.

Apple has released security updates for legacy devices, rolling out iOS and iPadOS 16.7.15 and 15.8.7 to address vulnerabilities tied to the recently disclosed Coruna exploits. The patches aim to protect older iPhone and iPad models that no longer receive the latest major OS versions.

In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1. The kit includes five full exploit chains and a total of 23 exploits.

Codename	CVE	Type
buffout	CVE-2021-30952	WebContent R/W
jacurutu	CVE-2022-48503	WebContent R/W
bluebird	No CVE	WebContent R/W
terrorbird	CVE-2023-43000	WebContent R/W
cassowary	CVE-2024-23222	WebContent R/W
breezy	No CVE	WebContent PAC bypass
breezy15	No CVE	WebContent PAC bypass
seedbell	No CVE	WebContent PAC bypass
seedbell_16_6	No CVE	WebContent PAC bypass
seedbell_17	No CVE	WebContent PAC bypass
IronLoader	CVE-2023-32409	WebContent sandbox escape
NeuronLoader	No CVE	WebContent sandbox escape
Neutron	CVE-2020-27932	PE
Dynamo	CVE-2020-27950	PE (infoleak)
Pendulum	No CVE	PE
Photon	CVE-2023-32434	PE
Parallax	CVE-2023-41974	PE
Gruber	No CVE	PE
Quark	No CVE	PPL Bypass
Gallium	CVE-2023-38606	PPL Bypass
Carbone	No CVE	PPL Bypass
Sparrow	CVE-2024-23225	PPL Bypass
Rocket	CVE-2024-23296	PPL Bypass

While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.

GTIG tracked the use of the exploit in highly targeted attacks by a surveillance vendor’s customer, in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits. Multiple threat actors now reuse and adapt these advanced techniques for new vulnerabilities.

- Advertisement -

Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.

The Coruna exploit kit relies on a highly engineered framework that links all components through shared utilities and custom loaders. It avoids devices in Lockdown Mode or private browsing, derives resource URLs from a hard-coded cookie, and delivers WebKit RCE and PAC bypasses in clear form. After exploitation, a binary loader deploys encrypted, compressed payloads disguised as .min.js files, tailored to specific chips and iOS versions. In total, the kit includes 23 exploits covering iOS 13 through 17.2.1, with advanced mitigation bypasses and reusable modules for defeating memory and kernel protections.

At the end of the chain, a stager called PlasmaLoader injects into a root daemon and deploys a financially focused payload.

The malware scans for crypto wallets, backup phrases, and banking data, exfiltrating sensitive information and loading additional modules from command-and-control servers. It targets numerous cryptocurrency apps, uses encrypted communications, and falls back on a custom domain generation algorithm seeded with “lazarus” to maintain persistence.

Apple released iOS and iPadOS 15.8.7 for older devices to patch vulnerabilities previously fixed in newer versions of iOS and iPadOS. Version 15.8.7 fixes CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010.

“This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version.” reads the advisory published by Apple.

Meanwhile, version 16.7.15 patches the WebKit vulnerability CVE-2023-43010.

Pierluigi Paganini