A shadowy hacking tool shows why skipping iPhone updates can be a dangerous gamble. On Tuesday, security researchers disclosed “Coruna,” a software kit that leverages nearly two dozen iOS exploits to hack vulnerable iPhones.
The Coruna exploit kit uses 23 hacking techniques to remotely target iPhones, according to Google’s Threat Intelligence Group. Most recently, the exploit kit was running on a large set of fake Chinese websites, attempting to attack any iPhones that loaded up the pages, regardless of location.
Collectively, Coruna taps into “five full iOS exploit chains” from the 23 hacking techniques. The good news is that Coruna can only exploit previously patched vulnerabilities in iOS 13.0 through iOS 17.2.1. which arrived in December 2023. The Apple operating system is now on iOS 26.
Interestingly, Google first spotted an unnamed “customer of a surveillance vendor” using Coruna in February 2025. suggesting a government buyer of spyware was involved.
Then, in July, Google discovered a suspected Russian espionage group hosting the exploit kit on compromised Ukrainian websites. “The framework was identical and delivered the same set of exploits,” but did so only on select iPhone users from a specific geolocation, Google said.
In December, Coruna was spotted again, but this time for cybercrime. A financially motivated Chinese hacking group was using it on websites, including those for fake cryptocurrency exchanges. Except this time, the exploit kit was deployed against iOS users indiscriminately. A pop-up on the websites would even recommend users visit the page using iOS.
The findings suggest the scary likelihood that a well-funded spyware vendor developed Coruna and sold it off, leading to its proliferation. Google adds that Coruna has even been using some “non-public exploitation techniques and mitigation bypasses” when it targets vulnerable iPhones. The company says its analysis remains ongoing, so 11 of the exploits have yet to receive an official CVE ID number. In addition, Google doesn’t know if five of the non-public exploits have been patched, although the attacks were designed to target older versions of iOS.
Coruna’s ultimate goal is to secretly deliver a program dubbed “PlasmaLoader,” which is designed to run in the background, but has root access to iOS. Google recovered the payload from the fake Chinese websites running Coruna and found PlasmaLoader can run additional modules and look for and collect snippets of text from an infected iPhone, likely to steal financial information.
Security vendor iVerify also tracked the Coruna kit to a Chinese web domain two weeks ago, and found it could enable attacks requiring only one tap from the user. The exploit kit was also designed to target vulnerabilities in Apple’s Safari browser.
“Anyone who would have gone to the website with a vulnerable iOS version could get infected. This is not typical for targeted attacks used by nation-states, but rather e-criminal groups. We were able to reinfect our devices multiple times,” the company’s report added.
iVerify also told Wired that there are clues in Coruna’s computer code suggesting the US government may have once been involved in developing the exploit kit. It’s also possible that Coruna successfully infected tens of thousands of Chinese users since an estimated 5% of iPhone users are still running older, vulnerable versions of iOS. (That said, Android phones have long dominated the Chinese market.)
Apple didn’t immediately respond to a request for comment. In the meantime, Google emphasized: “The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices to the latest version of iOS.”
If you can’t update to the newest iOS, Google advises activating the Lockdown Mode, which Apple introduced in 2022 to protect iPhone users from spyware threats.
