A newly uncovered hacking framework is highlighting the dangers of ignoring iPhone software updates. Google Threat Intelligence Group (GTIG) on Wednesday detailed a toolkit called 'Coruna' that exploits almost two dozen weaknesses in the iOS operating system to gain access to vulnerable devices.
“Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named ‘Coruna' by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,” GTIG said in a blog post.
According to Google, parts of Coruna resemble hacking methods first identified in February 2025. Those techniques were then attributed to an unnamed “customer of a surveillance company”.
Roughly five months later, a more sophisticated iteration appeared in what investigators believe was an espionage campaign linked to a suspected Russian intelligence group. The attackers embedded the code within a standard visitor-counting feature on Ukrainian websites.
Also Read: Apple Raises Computer Prices With New MacBook Pro And Air Lines
More recently, the same toolkit has been tied to a separate campaign aimed at financial gain, infecting Chinese-language crypto and online gambling pages with malware capable of stealing users' cryptocurrency.
WIRED highlighted that Google's report does not identify the surveillance firm that deployed Coruna.
However, mobile security company iVerify, which examined a version of the toolkit retrieved from one of the compromised Chinese websites, suggests the software may have originally been developed for, or acquired by, the US government.
“It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," iVerify's cofounder Rocky Cole told WIRED.
“This is the first example we've seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups,” he added.
Regardless of where Coruna was first developed, analysts at Google caution that the powerful toolkit has likely moved through a chain of unusual operators before surfacing in the wider hacking ecosystem. Now that it is circulating freely, it could be reused or reworked by groups aiming to compromise iPhones.
“How this proliferation occurred is unclear, but suggests an active market for ‘second hand' zero-day exploits. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities,” the GTIG said.
Researchers at Google say the security flaws exploited by the Coruna toolkit have already been fixed in iOS 26, the latest version of Apple's mobile operating system. As a result, the techniques are only known to work on devices running versions between iOS 13 and iOS 17.2.1.
The exploits focus on weaknesses in Apple's WebKit browser engine, meaning users of Safari on older iPhones could be at risk. The toolkit contains no verified methods for compromising users of Google Chrome. The researchers also found that Coruna checks whether Apple's high-security feature, Lockdown Mode, is active on a device and avoids attempting an intrusion if the setting is enabled.
Also Read: Apple Has Just Made It Easier For Indians To Afford A MacBook
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.