Coruna Unleashed: Deep Dive into the Stealthy Multi‑Stage Browser Exploit Framework Bypassing Apple’s PAC on iOS/macOS + Video

Introduction:

Coruna is a sophisticated, multi‑stage browser exploit framework targeting Apple’s Safari/WebKit engine on ARM64 (arm64e) devices running iOS and macOS. Delivered via watering‑hole compromise, the entire attack chain executes within the browser context – parsing Mach‑O binaries from JavaScript, scanning system framework memory for ROP/JOP gadgets, bypassing Apple’s Pointer Authentication Codes (PAC), escaping the JIT cage, and establishing command‑and‑control communication – all without dropping a single file to disk. This technical teardown dissects each stage, providing security professionals with a clear understanding of the attack mechanics and actionable mitigation strategies.

Learning Objectives:

• Understand the multi‑stage architecture of the Coruna exploit framework.
• Analyze the techniques used for in‑memory Mach‑O parsing and gadget scanning.
• Explore the method for bypassing Apple’s Pointer Authentication Codes (PAC).
• Learn how the JIT cage is escaped and fileless C2 communication is established.
• Identify detection and prevention measures against such in‑memory browser‑based attacks.

You Should Know:

1. Watering‑Hole Delivery and Initial Compromise

Coruna begins with a watering‑hole attack: an attacker compromises a website frequently visited by the target group and injects a malicious JavaScript payload. When the victim’s browser loads the page, the exploit chain is triggered. This initial payload is small and obfuscated, designed to fingerprint the system and load the next stage only if the conditions match (e.g., ARM64, specific OS versions).

Step‑by‑step guide (conceptual):

1. Identify target site – Use reconnaissance to find a site trusted by the intended victims.
2. Inject malicious script – Through SQL injection, XSS, or stolen credentials, embed a `
   Manage Consent

   To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.

   We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.

   Functional Functional Always active

   The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

   Preferences Preferences

   The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

   Statistics Statistics

   The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

   Marketing Marketing

   The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

   • Manage options
   • Manage services
   • Manage {vendor_count} vendors
   • Read more about these purposes

   Accept Deny View preferences Save preferences View preferences

   • {title}
   • {title}
   • {title}
   Manage consent