A powerful iPhone hacking toolkit—believed to have originally been developed for U.S. government use—has leaked online and is now being used by Russian intelligence and cybercriminal groups.
Security researchers from Google and iVerify recently analyzed a sophisticated exploit framework known as Coruna.
What Coruna Is
Coruna is an extremely advanced iPhone exploitation toolkit containing five full attack chains that rely on 23 different iOS vulnerabilities.
The exploits allow attackers to silently install malware on a device if a user simply visits a compromised website.
Most of the attacks occur through the Safari browser, primarily by exploiting vulnerabilities in WebKit.
Why This Is a Big Deal
Researchers highlight several alarming aspects of this campaign:
This is the first known case where such a powerful iPhone exploitation toolkit is being used in a large-scale criminal campaign, rather than in targeted government surveillance.
Coruna has infected tens of thousands of devices, and the campaign may still be ongoing.
The toolkit checks whether Apple’s Lockdown Mode is enabled — if it is, the attack does not proceed.
The vulnerabilities were only patched in iOS 26. The toolkit worked against devices running iOS 13 through iOS 17.2.1.
Where It Likely Came From
According to iVerify, Coruna was likely developed by contractors working for U.S. intelligence agencies.
Researchers point to several clues:
the codebase is written in English and follows development patterns common in Western security tooling;
parts of the code overlap with techniques used in Operation Triangulation, an attack campaign that Russian officials previously blamed on the National Security Agency.
How the Toolkit Spread
Researchers believe the timeline looked roughly like this:
The toolkit was initially used by a customer of a commercial spyware vendor.
It leaked online.
It later ended up in the hands of Russian intelligence, which used it against Ukrainian targets by hiding the exploit code inside website analytics scripts on Ukrainian sites.
Eventually, cybercriminal groups obtained the toolkit.
Those groups modified the exploits to target visitors of Chinese-language cryptocurrency and gambling websites, stealing:
cryptocurrency wallets
email accounts
photos
other sensitive data.
A Warning About the Exploit Market
Researchers at Google say the case shows how expensive zero-day exploits—often costing millions of dollars to develop—can leak into secondary markets.
Once that happens, the tools spread quickly and end up being used by nation-state actors, rival intelligence services, and ordinary criminal gangs alike.
What Users Should Do
Researchers recommend two immediate steps:
1. Update your iPhone to the latest iOS version
The vulnerabilities used by Coruna have only been fixed in recent updates.
2. Enable Lockdown Mode
Lockdown Mode is designed to protect high-risk users from advanced cyberattacks.
How to enable it
iPhone / iPad
Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode
Mac
System Settings → Privacy & Security → Lockdown Mode → Turn On
The device will ask for your passcode and then restart.
An interesting side note: in early 2026, Lockdown Mode reportedly prevented the Federal Bureau of Investigation from extracting data from the iPhone of a journalist at The Washington Post, because the mode blocked the forensic tools investigators attempted to use.
In short: a highly sophisticated hacking toolkit—likely created for intelligence operations—has escaped controlled use and is now circulating in the wild, infecting ordinary users through everyday websites.
Updating iOS and enabling Lockdown Mode is currently the simplest way to protect your device. 🔐📱
