In brief
- Google has identified a sophisticated iOS exploit kit called Coruna containing 23 exploits.
- The toolkit was used by suspected Russian spies and Chinese crypto scammers.
- Security firm iVerify says clues in the code suggest it may have originated from a U.S. intelligence contractor.
Google’s Threat Intelligence Group (GTIG) has uncovered a powerful iPhone hacking toolkit capable of infecting devices when a user visits a malicious website, meaning malware can be transferred without anything being clicked on by the target.
The framework, dubbed “Coruna,” includes five full iOS exploit chains and 23 vulnerabilities targeting iPhones running iOS 13 through 17.2.1. Researchers said some of the exploits rely on previously unseen techniques to bypass Apple’s security protections.
Coruna exploit kit is targeting iOS.
Coruna leverages 23 exploits against Apple devices running iOS 13-17.2.1. It is being used for espionage, and by financially motivated actors to steal crypto.
Update your iOS devices, and learn more about this threat: https://t.co/c7QRDPWMKI pic.twitter.com/l8rK9ZOLsw
— Mandiant (part of Google Cloud) (@Mandiant) March 3, 2026
GTIG first identified parts of the toolkit in early 2025 in an exploit chain used by a customer of an unnamed commercial surveillance vendor. The code used a JavaScript framework that fingerprinted devices to determine the iPhone model and operating system version before delivering a tailored exploit.
The same framework later appeared on compromised Ukrainian websites in mid‑2025. Google attributed that campaign to UNC6353, a suspected Russian espionage group, which used hidden iframes to selectively target visiting iPhone users.
Later in the year, researchers discovered the toolkit again on hundreds of Chinese‑language websites tied to cryptocurrency and finance scams. Those sites attempted to lure victims to visit using iOS devices before injecting the exploit kit.
The report said vulnerabilities used by Coruna have since been patched in newer versions of Apple’s mobile operating system and urged users to update their devices. The exploit kit does not work against the latest versions of iOS.
Possible U.S. origins
While GITG’s report does not identify the original surveillance vendor customer or who may have developed the kit, researchers for mobile security firm iVerify researchers said elements of the code suggest possible U.S. origins.
“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the U.S. government,” iVerify co-founder Rocky Cole told WIRED. He added that it was the first example uncovered by the firm of “very likely U.S. government tools” being adopted by adversaries and cybercriminal groups after “spinning out of control.”
iVerify estimated roughly 42,000 devices in just one campaign were compromised after analyzing traffic to command‑and‑control servers linked to Chinese‑language scam websites distributing the exploits.
The toolkit targets vulnerabilities in Apple’s WebKit browser engine and includes a loader that deploys different exploit chains depending on the device model and operating system version. Payloads are encrypted, compressed and delivered in a custom file format designed to evade detection.
“iPhone users are strongly urged to update their devices to the latest version of iOS,” GTIG said, adding that Apple’s Lockdown Mode can provide additional protection if updating is not possible.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
