Cybersecurity researchers have uncovered a highly advanced hacking toolkit capable of silently infecting iPhones when users simply visit a malicious website. The toolkit, known as Coruna, has been observed in multiple cyber campaigns targeting victims in different regions, raising concerns about how sophisticated surveillance tools are spreading beyond their original operators.
Investigators say Coruna is particularly dangerous because it allows attackers to compromise devices with minimal user interaction. In many cases, victims only need to open a web page containing hidden exploit code for the attack to begin. Once triggered, the exploit chain can bypass several layers of iPhone security and install malware without any visible warning.
Security experts believe the toolkit may have moved through several different hands over time. Evidence suggests it may have first been used in targeted surveillance operations before eventually appearing in cybercrime campaigns aimed at stealing cryptocurrency. The shifting use of Coruna highlights a growing problem in cybersecurity: powerful digital espionage tools originally developed for intelligence purposes can eventually leak or be resold, making them accessible to criminal groups.
Researchers Identify a Complex Exploit Framework
A detailed investigation by researchers at Google revealed that Coruna is not a single exploit but a comprehensive toolkit designed specifically to break into iPhones. According to the analysis, the framework contains five separate exploit chains, each capable of bypassing important security protections built into Apple’s mobile devices.
In total, the toolkit exploits 23 vulnerabilities in Apple’s mobile operating system. The ability to combine so many vulnerabilities into a working attack platform is rare and usually requires significant financial resources and technical expertise.
The vulnerabilities exploited by Coruna are primarily linked to Apple’s web browsing engine. This means that the attack can be triggered when users visit a compromised website through the Safari browser.
Security analysts say that assembling a toolkit of this complexity typically requires a team of highly skilled developers and significant funding, suggesting the project may have originally been created by a state-backed group or a contractor working with government agencies.
Evidence of Multiple Campaigns Across Regions
Google’s research indicates that Coruna has been used in several distinct campaigns over the past year.
The earliest traces of the toolkit appeared in early 2025. At that time, researchers detected elements of the exploit being used by what was described as a client of a surveillance company. While the organization behind the operation was not publicly identified, the attack pattern resembled targeted monitoring activities often associated with government-backed intelligence operations.
Several months later, investigators discovered a more complete version of the toolkit embedded in websites based in Ukraine. In this campaign, attackers concealed the exploit code within visitor-tracking scripts commonly used to monitor website traffic.
Security analysts believe the operation was likely carried out by a Russian-linked espionage group seeking to monitor Ukrainian targets. The technique allowed attackers to compromise visitors to affected websites without raising suspicion.
Later discoveries revealed a very different use of the toolkit. Researchers found Coruna deployed on Chinese-language websites focused on cryptocurrency trading and online gambling. In these cases, the attackers used the exploit to infect visitors with malware designed to steal funds from cryptocurrency wallets.
The shift from intelligence gathering to financial theft illustrates how advanced cyber tools can move beyond their original purpose and become instruments for criminal profit.
Possible Connections to Earlier Spyware Operations
Security firm iVerify also analyzed parts of the Coruna toolkit and discovered similarities with a previous hacking campaign known as Operation Triangulation.
That earlier campaign was discovered in 2023 after targeting employees at the Russian cybersecurity company Kaspersky. The operation involved sophisticated iPhone exploits capable of infiltrating devices used by company staff.
Following the discovery of Operation Triangulation, Russian authorities publicly claimed that the attack had been carried out by the National Security Agency, although no official confirmation was provided by the United States.
Researchers studying Coruna noticed technical overlaps between the two toolsets. Some components appear to function in similar ways, leading to speculation that they may have originated from the same development effort or shared code base.
Analysts at iVerify say the structure of Coruna suggests a highly organized development process. The code appears polished and modular, indicating that it may have been designed as part of a larger, coordinated project rather than pieced together from unrelated exploits.
Concerns Over Leaked Cyber Weapons
The emergence of Coruna in criminal activity has sparked concerns about the security of advanced hacking tools.
Experts warn that if the toolkit was originally created for intelligence operations, its appearance in criminal campaigns could signal that it has leaked into the broader cyber underground.
This situation has drawn comparisons to EternalBlue, a powerful hacking tool that was stolen from the U.S. government and later used in global cyberattacks.
The leak of EternalBlue enabled large-scale incidents such as the WannaCry outbreak and the destructive NotPetya attack, both of which caused billions of dollars in damage worldwide.
Cybersecurity experts worry that Coruna could represent a similar situation for mobile devices if the toolkit continues to circulate among threat actors.
Another factor complicating the situation is the global marketplace for zero-day exploits—previously unknown software vulnerabilities that can be used to break into devices before developers release security patches. These vulnerabilities can command extremely high prices, sometimes reaching tens of millions of dollars.
Exploit brokers often buy such vulnerabilities from researchers and sell them to governments, intelligence agencies, or private clients. In some cases, the same exploit may be sold multiple times, increasing the risk that it eventually reaches malicious actors.
Tens of Thousands of Devices May Already Be Infected
Although many of the vulnerabilities used by Coruna have now been patched, researchers believe the toolkit may already have compromised a significant number of devices.
Data analyzed by iVerify indicates that roughly 42,000 iPhones may have been infected during the cryptocurrency-focused campaign alone. This estimate is based on network traffic connected to servers used to control the malware.
The malicious software deployed in those attacks was primarily designed to steal cryptocurrency stored in digital wallets. However, researchers say it also had the capability to collect personal information from infected devices, including photos and potentially email data.
The total number of victims could be higher when earlier espionage operations are taken into account, particularly those involving compromised Ukrainian websites.
Software Updates Provide Protection
Researchers note that the Coruna toolkit primarily targets older versions of Apple’s operating system, specifically versions ranging from iOS 13 to iOS 17.2.1.
Apple has since addressed many of the exploited vulnerabilities in newer updates, including iOS 26. Users who keep their devices updated are therefore far less likely to be affected by the known exploit chains.
The toolkit also appears to avoid attacking devices that have Apple’s Lockdown Mode enabled. This security feature was introduced to protect individuals who may face advanced digital surveillance, such as journalists, activists, and government officials.
Despite these protections, cybersecurity experts emphasize that many users continue to run outdated software, leaving them exposed to attacks that have already been patched.
