Coruna: Inside the Nation-State-Grade iOS Exploit Kit We've Been Tracking

iVerify analyzed the Coruna (aka CryptoWaters) iOS exploit kit — a modular 1‑click chain of Safari RCE and local privilege escalation affecting iOS 13–17.2.1 — used in watering‑hole mass exploitation. The chain loads multi‑stage implants (powerd → locationd → process‑injected dylibs) that exfiltrate photos, notes, and target crypto wallets; the report provides capture methodology, extensive IOCs (domains, file paths, user agents, thread/queue names, SHA256s) and downloadable STIX2 indicators for detection and forensic triage.