A sophisticated iPhone hacking toolkit, once believed to be exclusive to government actors, has resurfaced in the wild, now exploited by criminal groups to target vulnerable devices running outdated iOS versions. Known as Coruna, this multifaceted exploit kit combines numerous security flaws to bypass Apple’s protective layers, raising fresh concerns about how leaks of state-level cyber tools can rapidly empower malicious actors worldwide.
Researchers from Google’s Threat Intelligence Group and security firm iVerify have dissected Coruna, revealing it as a complex exploit framework that strings together multiple vulnerabilities-23 in total-across iOS versions 13 through 17.2.1. The kit operates by covertly verifying a device’s configuration via hidden JavaScript when a user visits a compromised website, then using different exploit paths to escalate privileges and implant malware capable of further payload downloads or data extraction.
One intriguing defensive feature of Coruna is its ability to detect if an iPhone has Lockdown Mode enabled or if the user is browsing in private mode; in these cases, the attack deliberately aborts. Such tactics suggest a careful design to avoid detection and maximize the window of exploitation on less-secure devices.
From nation-state tools to cybercrime arsenals
The origins of Coruna appear linked to hacking frameworks developed or utilized by U.S. government agencies, as noted by iVerify’s reverse engineering efforts. However, unlike the tightly guarded tools used in official operations, Coruna seems to have leaked, falling into the hands of Russian- and Chinese-affiliated cybercriminal groups who have repurposed it for financially motivated campaigns.
This sudden democratization of a ”government-grade” exploit kit underlines a dangerous trend: powerful surveillance and attack tools can escape secure channels and exacerbate cybercrime. The resulting attacks include ”watering hole” strategies-where criminals compromise popular websites, including fraudulent cryptocurrency services-to trick victims into visiting malicious pages.
The payloads delivered by Coruna often focus on siphoning cryptocurrency wallet information and recovery phrases, reflecting a clear shift toward monetizing these attacks rather than purely espionage motives.
Keeping pace is the best defense
Coruna specifically exploits unpatched vulnerabilities in older iOS releases, underscoring the importance of regular system updates. Apple’s patches already neutralize these attack vectors on newer versions, making timely software upgrades the frontline defense against such multifaceted exploits.
But the bigger issue remains: state-created cyber tools leaking into criminal hands distort the threat landscape and raise the stakes for individuals and organizations alike. Such leaks reveal the risks in developing offensive cybersecurity capabilities and highlight why transparency, responsibility, and robust security protocols within governments are essential to prevent empowering malign actors.
With Coruna now part of the cybercrime toolkit, it remains to be seen how Apple and security stakeholders will respond, both in bolstering technical defenses and mitigating the fallout of weaponized software leaks.