Risky Business Features

A ridiculously deep dive into the Coruna Exploits

Mar 11, 2026
A solo deep dive tracing an exploit kit from watering-hole JavaScript to full device compromise. Technical breakdowns cover WebKit exploit paths, JIT and type confusion tricks, and intricate heap grooming. Detailed chain shows read/write primitives, PAC and ASLR workarounds, WebAssembly trampolines, sandbox escapes, kernel escalation, and persistence techniques used to deploy crypto-stealing implants.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
INSIGHT

One Click JavaScript Starts The Chain

  • The Karuna chain starts as one-click JavaScript on a watering-hole page that fingerprints device and lockdown mode before choosing payloads.
  • It detects lockdown mode via IndexedDB and MathML behavior differences to decide whether to proceed.
INSIGHT

Three Elegant WebKit Break Techniques

  • WebKit exploitation uses three browser break methods: type confusion, JIT/DFG structure check elimination, and an iOS-specific asynchronous heap/engine combo.
  • The DFG hack pads dataflow graphs with dead loops to trigger the JIT to remove structure checks, enabling object shape swaps.
INSIGHT

Canaries And Audio Overflow To Gain Arbitrary R/W

  • A novel iOS path combines 7,000 Intl.NumberFormat objects, OfflineAudioContext heap overflow, and SVG feConvolve to get arbitrary read/write.
  • NumberFormat objects act as predictable canaries to locate heap corruptions produced by audio decode overflows.
Get the Snipd Podcast app to discover more snips from this episode
Get the app