A sophisticated toolkit capable of silently breaking into iPhones has migrated from the hands of a government-linked surveillance vendor to those of criminal hackers, security researchers warned this week – raising fresh alarms about the uncontrolled spread of state-level hacking capabilities into the broader criminal ecosystem.
The exploit kit, named Coruna, was publicly documented for the first time by Google’s Threat Intelligence Group (GTIG), which described it as one of the most technically advanced iOS attack frameworks ever identified in the wild.
What is Coruna and what can it do?
Google identified Coruna as a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 – released in September 2019 – up to version 17.2.1, released in December 2023. The exploit kit contained five full iOS exploit chains and a total of 23 individual exploits.
Google said the hacking tools are powerful, as they can breach an iPhone’s defences simply through a user visiting a malicious website – a technique known as a “watering hole” attack – without any further interaction from the victim.
The core technical value of the kit lies in its comprehensive collection of iOS exploits, with the most advanced ones deploying non-public exploitation techniques and mitigation bypasses. The kit’s framework is, according to Google researchers, extremely well-engineered – capable of detecting the exact iPhone model and iOS version of a target device before selecting the most effective attack chain.
Critically, the kit also bails out if a device is in Lockdown Mode, indicating its developers were aware of – and designed around – Apple’s most stringent security feature.
Coruna’s trails: From spyware vendor to Russian spies to Chinese scammers
The trail of Coruna’s use tells a troubling story about how elite hacking tools circulate beyond their original buyers.
In February 2025, Google captured parts of an iOS exploit chain used by a customer of a surveillance company. The exploits were integrated into a previously unseen JavaScript framework using unique obfuscation techniques.
In the summer of 2025, the same JavaScript framework was found hosted on a domain loaded as a hidden iFrame on many compromised Ukrainian websites – ranging from industrial equipment and retail tools to local services and e-commerce sites. The framework was delivered only to selected iPhone users from a specific geolocation. Google attributed this campaign to UNC6353, a suspected Russian espionage group.
By the end of the year, the framework was identified on a very large set of fake Chinese websites, mostly related to finance, deploying the exact same iOS exploit kit. The websites tried to convince users to visit them with iOS devices. This phase was attributed to UNC6691, a financially motivated threat actor operating from China.
It’s unclear how the tools leaked or proliferated, but Google security researchers warned of an emerging market for “secondhand” exploits, which are sold to hackers motivated by money to extract further value from the exploit.
Cryptocurrency wallets in the crosshairs
Unlike government spyware campaigns that typically seek communications or intelligence, the criminal deployment of Coruna had a direct financial motive.
The injected payload doesn’t exhibit the usual capabilities seen from a surveillance vendor but instead steals financial information. It can decode QR codes from images on disk and has a module to analyze blobs of text to look for cryptocurrency recovery phrases or keywords such as “backup phrase” or “bank account.” If such text is found in Apple Memos, it is sent back to the attacker’s server.
The payload was found to target at least 18 popular cryptocurrency wallet and exchange applications, including MetaMask, Trust Wallet, Exodus, Phantom, and Uniswap. All identified modules contained logging written in Chinese, with some comments including emojis and phrasing suggesting they may have been LLM-generated.
What iPhone users should do now
The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices immediately. In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security.
Google has added all identified websites and domains to Safe Browsing to safeguard users from further exploitation.
The company said its investigation is ongoing and that it anticipates publishing additional technical details in subsequent reports.
