A new iPhone exploit toolkit, which hackers use to send malware to systems, has been uncovered by Google’s Threat Intelligence Group. Dubbed "Coruna," the exploit toolkit appears to have been taken from a government-linked surveillance operation targeting Russian espionage in Ukraine and later fallen into the hands of cybercriminals running cryptocurrency scams aimed at Chinese-speaking users.
In a detailed report, Google described Coruna as a powerful toolkit capable of hijacking “iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023)” by chaining together 23 separate vulnerabilities. Five complete exploit chains were built into it. This means it was an industrial-grade hacking infrastructure.
Google says it first spotted pieces of Coruna in early 2025 when a customer of a surveillance company used it to target a device with spyware. Months later, the same framework surfaced in a watering hole attack attributed to a suspected Russian espionage group targeting Ukrainian websites.
By the end of the year, researchers found the full toolkit embedded in fake Chinese-language cryptocurrency and gambling sites, this time stealing digital wallets and sensitive data for profit.
“How this proliferation occurred is unclear but suggests an active market for ‘second-hand' zero-day exploits,” Google wrote in its report.
What Coruna Does
At its core, Coruna is designed to silently take control of vulnerable iPhones. Once triggered, it can bypass built-in protections, gain deep system access, and install malicious payloads without the user noticing.
In the financially motivated campaign uncovered later, the final malware focused on stealing cryptocurrency. It scanned images for QR codes, searched text for crypto seed phrases or keywords such as “backup phrase,” and sent that information to remote command-and-control servers. In some cases, it also accessed emails and other sensitive data.
Mobile security firm iVerify estimates that the for-profit campaign alone may have compromised roughly 42,000 devices, based on traffic to the attackers’ servers.
How does the Coruna exploit toolkit work?
Coruna is delivered through what’s known as a watering hole attack. A user simply visits a compromised or fake website, and hidden code attempts to exploit the device automatically. No download prompt or visible warning.
The toolkit chains together 23 vulnerabilities across iOS versions 13 through 17.2.1. By linking multiple flaws, it can break through layers of Apple’s defences.
The kit checks whether a device has Lockdown Mode enabled and backs off if it does. It encrypts payloads with unique keys, compresses modules, disguises them as JavaScript files, and uses custom loaders to inject malware deep into the system. According to Google, the “framework surrounding the exploit kit is extremely well engineered.”
When iVerify reverse-engineered the version found on Chinese scam sites, it noticed something striking. The crypto-stealing malware layered on top looked sloppy. The underlying exploit framework did not.
“My God, these things are very professionally written,” said Spencer Parker, iVerify’s chief product officer. “It looks like it was written as a whole. It doesn’t look like it was pieced together.”
Where did the Coruna exploit toolkit come from?
Who built Coruna remains unclear. Google stopped short of naming the original surveillance customer. However, iVerify’s analysis suggests the code may share similarities with tools previously linked to the U.S. government, including components seen in a campaign known as Operation Triangulation. In 2023, Russian cybersecurity firm Kaspersky claimed that an exploit toolkit targeted its employees’ iPhones and blamed the U.S. government. Washington never confirmed that accusation.
Rocky Cole, cofounder of iVerify and a former NSA employee, put it bluntly: “This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups.”
If that assessment holds, Coruna would join an uncomfortable lineage. In 2017, a Windows exploit known as EternalBlue leaked from the U.S. National Security Agency and was later used in global ransomware attacks. Cole described Coruna as “the EternalBlue moment for mobile malware.”
Google warned that “multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”
How do you protect yourself from the Coruna exploit toolkit?
The most important step is updating your device. Google noted that Coruna is not effective against the latest versions of iOS. Devices running outdated software remain the primary risk group.
Enabling Lockdown Mode provides an additional layer of protection, especially for users who may face higher targeting risks, such as journalists, activists, or executives.
Also be cautious about visiting unfamiliar links, particularly those related to cryptocurrency platforms, gambling sites, or unsolicited financial offers. Even legitimate-looking websites can be compromised.
Finally, reviewing device settings regularly and enabling automatic updates helps close the window that zero-day exploits rely on. Coruna’s spread shows how quickly powerful tools can change hands. Staying current with patches remains one of the simplest and most effective defenses.
Ogbonda Chivumnovu
