Coruna iOS Exploit Kit: Leaked Government iPhone Hacking Tools Now in Criminal Hands
Security researchers reveal Coruna, a powerful iOS exploit kit with 23 vulnerabilities, likely leaked from U.S. government sources and now used by cybercriminals.
Security researchers have identified a suite of powerful hacking tools capable of compromising iPhones running older software that they say has passed from a government customer into the hands of cybercriminals.
Google said Tuesday that it first identified the exploit kit, dubbed Coruna, in February 2025 during a surveillance vendor’s attempt to hack into someone’s phone with spyware on behalf of a government customer. It found the same exploit kit months later targeting Ukrainian users in a broad-scale campaign by a Russian espionage group, and then later found it used by a financially motivated hacker in China.
It’s unclear how the tools leaked or proliferated, but Google security researchers warned of an emerging market for “secondhand” exploits, which are sold to hackers motivated by money to extract more value out of the exploit.
The discovery also shows how exploits and back doors designed to be used by governments can leak and ultimately be abused by cybercriminals or other non-state actors. Mobile security company iVerify obtained and reverse-engineered the hacking tools, saying in a blog post that it linked the Coruna exploit kit to the U.S. government, based on similarities to hacking tools previously attributed to the United States.
“The more widespread the use, the more certain a leak will occur,” said iVerify. “While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”
Google said the hacking tools are powerful, as they can bypass an iPhone’s defenses simply through visiting a malicious website containing the exploit code — such as being sent a malicious link — in what is known as a “watering hole” attack. According to Google, the Coruna kit can hack into an iPhone five separate ways by relying on and chaining together 23 separate vulnerabilities in its digital arsenal. Affected devices range from iPhone models running iOS 13 up to 17.2.1, which released in December 2023.
According to Wired, which first reported the news, the Coruna kit contains components that were previously used in a hacking campaign dubbed Operation Triangulation. Russian cybersecurity firm Kaspersky claimed in 2023 that the U.S. government tried to hack several iPhones belonging to its employees.
Key Takeaways
- Exploit Kit Name: Coruna
- Target: iPhones running iOS 13.0 through 17.2.1
- Attack Vector: Watering hole attacks via malicious websites
- Vulnerabilities Chained: 23 distinct exploits across 5 full exploitation chains
- Attribution: Likely originated from U.S. government contractor; later used by Russian espionage group UNC6353 and financially motivated actor UNC6691
- Mitigation: Update to latest iOS version; enable Lockdown Mode if update not possible
Recommended Actions for Users
- Update your iPhone to the latest version of iOS immediately
- Enable Lockdown Mode in Settings > Privacy & Security if you are at elevated risk
- Avoid clicking suspicious links, especially from unknown senders
- Monitor for unusual device behavior or unexpected battery drain