Coruña is also notable for its use by three different hacking groups. Google first detected its use in February last year in an operation conducted by “a customer of a surveillance vendor.” The vulnerability, tracked as CVE-2025-23222, was fixed 13 months ago. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in attacks against websites frequented by Ukrainian targets. Last December, Google was able to retrieve the entire exploit kit when it was used by a “financially motivated threat actor from China.”
“How this spread occurred is unclear, but ‘secondhand’ suggests an active market for zero-day exploits,” Google wrote. “In addition to these identified exploits, many threat actors have now acquired advanced exploit techniques that can be reused and modified with newly identified vulnerabilities.”
Google researchers further wrote:
We recovered all obfuscated exploits including the final payload. Upon further analysis, we observed an example where the actor deployed a debug version of the exploit kit, leaving all exploits in the clear, including their internal code names. That’s when we learned that the exploit kit was probably named Coruna internally. In total, we collected a few hundred samples covering a total of five complete iOS exploit chains. The exploit kit is capable of targeting various iPhone models running iOS version 13.0 (released in September 2019) to version 17.2.1 (released in December 2023).
The 23 exploits, including code names and other information, are as follows:
| Type | code name | Target version (inclusive) | definitive edition | CVE |
| WebContent R/W | buffout | 13 → 15.1.1 | 15.2 | CVE-2021-30952 |
| WebContent R/W | jacurutu | 15.2 → 15.5 | 15.6 | CVE-2022-48503 |
| WebContent R/W | bluebird | 15.6 → 16.1.2 | 16.2 | no cve |
| WebContent R/W | terrorbird | 16.2 → 16.5.1 | 16.6 | CVE-2023-43000 |
| WebContent R/W | cassowary | 16.6 → 17.2.1 | 16.7.5, 17.3 | CVE-2024-23222 |
| WebContent PAC Bypass | breezy | 13 → 14.x | ? | no cve |
| WebContent PAC Bypass | airy15 | 15 → 16.2 | ? | no cve |
| WebContent PAC Bypass | seed bell | 16.3 → 16.5.1 | ? | no cve |
| WebContent PAC Bypass | Seedbell_16_6 | 16.6 → 16.7.12 | ? | no cve |
| WebContent PAC Bypass | seedbell_17 | 17 → 17.2.1 | ? | no cve |
| WebContent Sandbox Escape | ironloader | 16.0 → 16.3.116.4.0 (<=A12) | 15.7.8, 16.5 | CVE-2023-32409 |
| WebContent Sandbox Escape | Neuron Loader | 16.4.0 → 16.6.1 (A13-A16) | 17.0 | no cve |
| PE | neutron | 13.x | 14.2 | CVE-2020-27932 |
| PE(Infolake) | dynamo | 13.x | 14.2 | CVE-2020-27950 |
| PE | anchor | 14 → 14.4.x | 14.7 | no cve |
| PE | photon | 14.5 → 15.7.6 | 15.7.7, 16.5.1 | CVE-2023-32434 |
| PE | parallax | 16.4 → 16.7 | 17.0 | CVE-2023-41974 |
| PE | Gruber | 15.2 → 17.2.1 | 16.7.6, 17.3 | no cve |
| ppl bypass | quark | 13.x | 14.5 | no cve |
| ppl bypass | gallium | 14.x | 15.7.8, 16.6 | CVE-2023-38606 |
| ppl bypass | carbon | 15.0 → 16.7.6 | 17.0 | no cve |
| ppl bypass | sparrow | 17.0 → 17.3 | 16.7.617.4 | CVE-2024-23225 |
| ppl bypass | rocket | 17.1 → 17.4 | 16.7.8, 17.5 | CVE-2024-23296 |
CISA is only adding three CVEs to its catalog. they are:
- CVE-2021-30952 Apple multiple product integer overflow or wraparound vulnerabilities
- CVE-2023-41974 Apple iOS and iPadOS use-after-free vulnerability
- CVE-2023-43000 Apple multiple product use-after-free vulnerabilities
CISA is directing agencies to “implement mitigations in accordance with vendor instructions, follow applicable guidance for cloud services, or discontinue use of the product if mitigations are not available.” The agency warned: “These types of vulnerabilities are persistent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
<a href