A powerful iPhone hacking toolkit containing 23 exploits across five full attack chains has spread from a suspected U.S. government origin to Russian state hackers and Chinese cybercriminals over the past year, according to research published by Google Threat Intelligence Group.
The toolkit, internally named Coruna, represents the first documented mass-scale exploitation campaign against iOS devices. iVerify chief product officer Spencer Parker said the attacks have compromised at least 42,000 iPhones. Co-founder Rocky Cole compared the proliferation to “an EternalBlue moment,” referencing the National Security Agency (NSA) exploit that escaped U.S. control and powered the global WannaCry ransomware attacks in 2017.
Google first captured parts of the exploit kit in February 2025 during an attack by a customer of a commercial surveillance vendor. By summer 2025, the same framework appeared in watering hole attacks, a technique where hackers compromise legitimate websites to infect visitors, targeting Ukrainian sites. Google attributed that campaign to suspected Russian espionage group UNC6353.
By December, a financially motivated Chinese threat actor tracked as UNC6691 deployed the kit across fake cryptocurrency exchange websites with no geographic targeting restrictions.
The kit targets iPhones running iOS versions 13 through 17.2.1. Any user visiting a compromised website on a vulnerable device could be infected.
According to CyberScoop, iVerify assessed that the exploit kit bears hallmarks of U.S. government development. Cole said the code was “elegantly written” with comments from native English speakers that reflected U.S. defense industry culture.
Several Coruna vulnerabilities overlap with those used in Operation Triangulation, a 2023 campaign that Russian cybersecurity firm Kaspersky discovered targeting its own employees. Russia’s Federal Security Service attributed that operation to the NSA at the time.
Google stated the proliferation “suggests an active market for ‘second hand’ zero-day exploits.”
Apple collaborated with Google on the research. Users running current iOS versions are protected. Google recommends enabling Lockdown Mode, an Apple security feature that restricts device functionality to block sophisticated attacks, on devices that cannot be updated.
