The most sophisticated iPhone hacking toolkit ever documented in the wild has been traveling through the underworld of cyberwarfare for over a year - moving from what appears to be US government intelligence infrastructure, into the hands of Russian state-sponsored hackers running espionage operations against Ukrainians, before finally turning up on Chinese scam websites stealing cryptocurrency from ordinary people.
Google's Threat Intelligence Group (GTIG) published a landmark report on March 3, 2026, naming the toolkit "Coruna" - the codename its developers gave it internally. What the researchers found was a modular, professionally engineered exploit framework containing five complete iPhone exploitation chains and 23 separate vulnerabilities targeting every major version of iOS from 2019 through late 2023.
The report is remarkable not just for its technical detail, but for what it implies about how government-grade cyberweapons move once they leave controlled hands. Rocky Cole, co-founder of mobile security firm iVerify, called it immediately: "This is the EternalBlue moment for mobile malware."
The comparison carries weight. EternalBlue was an NSA-developed Windows exploit leaked by the Shadow Brokers in 2017 that subsequently powered two of the most destructive cyberattacks in history - North Korea's WannaCry ransomware and Russia's NotPetya, which caused an estimated $10 billion in global damage. The difference now is that instead of Windows servers and corporate networks, the target platform is the smartphone in your pocket.
Every iOS device running version 13 through 17.2.1 was potentially vulnerable to Coruna. Apple patched the known vulnerabilities in iOS 26. Photo: Unsplash
What Coruna Actually Is
The name "Coruna" was accidentally revealed when Google researchers found a debug version of the toolkit on one of the infected Chinese cryptocurrency scam sites - the developers had left in the internal codenames, a rare operational security failure that handed researchers a crucial piece of attribution data.
Strip away the context and Coruna is a masterclass in software engineering. The framework is modular, heavily obfuscated, and built around a fingerprinting system that identifies exactly which iPhone model and iOS version a visitor is running before selecting the appropriate exploit chain. It checks for Apple's Lockdown Mode security setting - and immediately backs off if it's enabled, avoiding any attempt that might fail noisily.
The infection vector is a technique known as a "watering hole attack." Rather than targeting individuals directly, the attacker compromises a website the target is likely to visit - a news site, a crypto exchange, a community forum - and injects hidden code that silently runs when someone visits on a vulnerable iPhone. No clicking a malicious link. No downloading a suspicious file. Just visiting an ordinary website is enough.
At the core of Coruna's power is its exploit collection. The five complete exploitation chains cover nearly every version of iOS released over a four-year window, with the exploit components given internal codenames that suggest a single, consistent development team:
| Codename | Type | iOS Versions Targeted | CVE |
|---|---|---|---|
| buffout | WebKit RCE | 13.0 - 15.1.1 | CVE-2021-30952 |
| jacurutu | WebKit RCE | 15.2 - 15.5 | CVE-2022-48503 |
| bluebird | WebKit RCE | 15.6 - 16.1.2 | Unpublished |
| terrorbird | WebKit RCE | 16.2 - 16.5.1 | CVE-2023-43000 |
| cassowary | WebKit RCE | 16.6 - 17.2.1 | CVE-2024-23222 |
| breezy / breezy15 | PAC Bypass | 13.0 - 16.2 | Unpublished |
| IronLoader | Sandbox Escape | 16.0 - 16.3.1 | CVE-2023-32409 |
| NeuronLoader | Sandbox Escape | 16.4 - 16.6.1 | Unpublished |
| Neutron / Dynamo | Privilege Escalation | 13.x | CVE-2020-27932/27950 |
Several of Coruna's components exploit vulnerabilities that have no public CVE - meaning they were either never publicly reported or were privately patched without attribution to any external researcher. Google noted that Apple quietly fixed CVE-2024-23222 in iOS 17.3 in January 2024 "without crediting any external researchers" - a subtle indicator that Apple may have received a private tip, possibly from within the intelligence community.
The toolkit also uses sophisticated anti-detection techniques. Binary payloads are encrypted with ChaCha20 cryptography using a unique key per payload, compressed with the Lempel-Ziv-Welch algorithm, and delivered via URLs ending in ".min.js" to blend into normal web traffic. Resources are identified by SHA-256 hashes derived from a hard-coded cookie, making the server-side architecture harder to enumerate.
"My God, these things are very professionally written. The framework holds together as a cohesive piece of engineering - the exploit pieces are connected naturally and combined using common utility frameworks. This took millions of dollars to develop." - Spencer Parker, Chief Product Officer, iVerify
Three Owners: Government, Spies, Criminals
Google's tracking of Coruna across 2025 paints a disturbing picture of how state-level cyberweapons migrate through the international threat landscape.
The story begins in February 2025, when Google's security researchers captured parts of an iOS exploit chain being used by "a customer of a surveillance company." This is intelligence community language for a known pattern: commercial surveillance vendors like NSO Group (creators of Pegasus) sell their tools to government clients. The customer here - unnamed in Google's report - deployed the exploit in what appeared to be targeted operations.
By summer 2025, the same JavaScript framework reappeared - this time running on a domain called cdn.uacounter[.]com, loaded as a hidden iFrame embedded in compromised Ukrainian websites. The targets ranged from industrial equipment vendors to local retail services and ecommerce sites. The code was configured to deliver payloads only to iPhone users visiting from specific Ukrainian geolocations, strongly suggesting a state-sponsored surveillance operation rather than mass exploitation.
Google attributed this campaign to a group it tracks as UNC6353, described as a "suspected Russian espionage group." Google's team worked with CERT-UA, Ukraine's cyber incident response agency, to clean up the compromised websites. But the damage to visibility was already done: the toolkit had now passed hands.
By the end of 2025, Coruna turned up again - this time deployed far more broadly. Hundreds of fake Chinese-language websites posing as financial platforms, cryptocurrency exchanges (including a fake version of the WEEX exchange), and gambling sites were delivering the full Coruna exploit kit to any iPhone user who visited, regardless of their location. The operation was run by a group Google tracks as UNC6691, described as a financially motivated Chinese-speaking threat actor. The goal was simple: drain cryptocurrency wallets, steal photos, and in some cases exfiltrate emails.
The Coruna toolkit's modular architecture suggests a single professional development team with state-level resources. Photo: Unsplash
The Operation Triangulation Connection
The most politically charged aspect of the Coruna story is who may have originally built it.
iVerify's analysis identified multiple components within Coruna that overlap with a hacking operation known as "Operation Triangulation" - a sophisticated campaign discovered in 2023 that targeted Russian cybersecurity firm Kaspersky. When Kaspersky disclosed the attack, the Russian government publicly attributed it to the NSA. The US government declined to comment on the attribution.
Rocky Cole at iVerify went further than Google in connecting the dots: "It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government. This is the first example we've seen of very likely US government tools - based on what the code is telling us - spinning out of control and being used by both our adversaries and cybercriminal groups."
Cole acknowledges an alternative explanation: the overlapping code could have been copied after Operation Triangulation's components were publicly exposed by Kaspersky's research. But he argues this is unlikely. Many components in Coruna have never been seen before, and the entire toolkit appears to have been written by what he calls "a single author" - the coding style, documentation patterns, and engineering choices are consistent throughout.
The exploit documentation provides additional clues. The code contains extensive docstrings and comments written in native English. Several of the internal component names - IronLoader, NeuronLoader, Neutron - suggest a US or Western developer. The level of sophistication suggests access to Apple's internal frameworks and an intimate understanding of iOS kernel internals that typically requires either reverse engineering over years, or access to source code.
Coruna checks whether Apple's Lockdown Mode is active before attempting any exploit. If Lockdown Mode is enabled, it aborts. This tells us the developers thoroughly understood iOS's security architecture - and prioritized avoiding detection over maximizing victims. That's state-intelligence behavior, not criminal behavior.
Google's report is carefully worded on this point - the company neither confirms nor denies US government origin, describing only that Coruna was first deployed by "a customer of a surveillance company." But the implications are unmistakable to anyone reading between the lines.
A Second-Hand Zero-Day Market
Whether or not Coruna originated as a US government tool, Google's broader warning is about a market structure that shouldn't exist but evidently does.
"How this proliferation occurred is unclear, but suggests an active market for 'second hand' zero-day exploits," Google's report states. "Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities."
Zero-day exploits - vulnerabilities unknown to the software vendor and therefore unpatched - are extraordinarily expensive. A single reliable iOS zero-day can sell for $1 million to $3 million on the commercial market, according to known pricing from exploit brokers like Zerodium. A complete exploitation chain covering multiple iOS versions and including sandbox escapes and privilege escalation - like what Coruna provides - represents tens of millions of dollars in development costs.
The normal assumption is that once an exploit is used operationally, it's burned - the targets might detect it, analyze their device, and eventually the techniques get discovered. State intelligence agencies have typically treated zero-days as carefully guarded assets, restricting their use to minimize the risk of exposure.
What Coruna suggests is a different model: a secondary market where used exploits get recycled down the capability hierarchy. A tier-one government customer deploys the tools. Once the operation is complete (or the tools are compromised), they are sold or leaked to a tier-two actor - in this case, Russian state hackers willing to pay for sophisticated tools rather than develop their own. Then, whether through sale, theft, or discovery of compromised infrastructure, the tools end up in criminal hands.
Google's research director Shane Huntley told WIRED that this pattern - exploit proliferation through the threat actor hierarchy - has been documented before, but never at this scale on mobile platforms. "We're seeing a lot of these capabilities travel in ways that are very concerning," Huntley said.
Coruna: Confirmed Timeline
42,000 Victims and Counting
The scale of infection is not abstract. iVerify worked with a partner organization that had access to network traffic data and tracked connections to a command-and-control server used in the Chinese-language cryptocurrency campaign. The connection volume implied approximately 42,000 devices had already been compromised in that campaign alone.
That number covers only the financially motivated phase of Coruna's deployment - the fake crypto exchange websites run by UNC6691. The total victim count from the surveillance vendor's original targeted operations and the Russian campaign against Ukrainian users is not publicly known.
For victims of the cryptocurrency theft campaign, the damage was direct. Once Coruna achieves a complete compromise of an iOS device, the payload installed by UNC6691 was designed to drain cryptocurrency wallets, steal photos, and in some cases exfiltrate emails. Spencer Parker at iVerify noted that the malware payload added by the Chinese criminals was "poorly written" compared to the professional quality of the underlying Coruna toolkit - suggesting the criminals obtained a framework they lacked the skills to develop themselves, then bolted on their own cruder components.
For victims of the Ukrainian surveillance campaign, the stakes were different but potentially more severe. Russian intelligence operations against Ukrainian civilian websites have historically targeted government officials, military personnel, journalists, and civil society activists. An iPhone fully compromised with a kernel-level exploit gives the attacker access to messages, location history, camera, microphone, and every credential stored on the device.
The Coruna infection chain operated silently in the background of legitimate-looking websites. Victims had no indication their devices had been compromised. Photo: Unsplash
What Apple Did - and What It Didn't Do
Apple's public response to the Coruna disclosure has been characteristically minimal. The company did not immediately respond to requests for comment from either WIRED or iVerify. Its most notable action - quietly patching CVE-2024-23222 in iOS 17.3 in January 2024, without crediting any external researchers - happened over a year before the full Coruna toolkit was publicly disclosed.
The patching timeline is instructive. CVE-2024-23222 was the vulnerability used in the most recent exploitation chain, "cassowary," which targeted iOS 16.6 through 17.2.1. The earlier chains used vulnerabilities ranging back to 2020. This means that even as Apple was patching individual vulnerabilities, Coruna's developers were continuously updating the toolkit with new exploitation techniques, maintaining coverage across multiple iOS generations.
Google's report confirms that all known Coruna techniques are now patched in iOS 26, Apple's current release. But there are important caveats. First, iOS 26 is only available on relatively recent iPhone models - users on older hardware may be unable to update. Second, "all known" is doing a lot of work in that sentence. Google and iVerify acknowledge their analysis is ongoing. Several Coruna components exploit vulnerabilities that don't have assigned CVEs - meaning the researchers haven't fully characterized them yet, and there may be additional techniques in Coruna that aren't yet understood.
For users who cannot update to iOS 26, Apple's Lockdown Mode represents the best available protection. Coruna explicitly checks for Lockdown Mode and refuses to exploit devices with it enabled. The feature can be enabled in Settings under Privacy & Security. It does restrict some functionality - websites with complex JavaScript may load more slowly, and some communication features are limited - but for high-risk individuals, it's currently the strongest protection available.
"The framework holds together as a cohesive piece of engineering. The WebKit exploits, PAC bypasses, sandbox escapes, and privilege escalation components are all connected naturally. It's not a collection of stolen parts - it was designed as a system." - Rocky Cole, Co-founder, iVerify
The Bigger Picture: Surveillance Capitalism Meets Cyberwar
The Coruna story doesn't exist in isolation. It sits at the intersection of two trends that have been converging for years: the commercial surveillance industry that sells state-grade hacking tools to governments, and the ongoing blurring of lines between intelligence operations, state-sponsored cybercrime, and organized criminal hacking.
The commercial surveillance vendor industry - companies like NSO Group, Intellexa, FinFisher, and dozens of smaller operators - has long operated in a legal gray zone. They sell "lawful intercept" tools to government clients, nominally for law enforcement and national security purposes, while avoiding responsibility for how those tools are actually used. NSO Group's Pegasus spyware has been documented targeting journalists, dissidents, and opposition politicians in dozens of countries. The industry has faced significant legal and regulatory pressure in recent years, but continues to operate.
What Coruna suggests is a new second-order problem. Even if you accept the surveillance vendor industry's stated justification - that these tools are only sold to legitimate government clients for legitimate purposes - there is apparently no mechanism preventing those tools from proliferating beyond their original customers. The market for sophisticated hacking capabilities includes not just first buyers, but a secondary market of less scrupulous actors who can acquire used capabilities at a discount.
This has direct policy implications. The US government has been wrestling with how to regulate the commercial surveillance industry, particularly after revelations that American allies - and potentially American companies - had purchased tools being used against US citizens and interests. The Biden administration blacklisted NSO Group in 2021. But the regulatory framework has been piecemeal, and the secondary market for cyberweapons has attracted almost no policy attention.
Meanwhile, the geopolitical context around Coruna's deployment is notable. The Russian phase of its use came in summer 2025, as tensions in the region were building toward what would become the current conflict with Iran. The Chinese criminal phase emerged in the fall of the same year. Both occurred against a backdrop of intense competition over who controls the world's mobile security infrastructure - a competition in which the US has significant interests.
What This Means for Your iPhone
For the average iPhone user, the immediate practical takeaway from Coruna is straightforward: update to iOS 26 if your device supports it. All known Coruna exploitation techniques are patched in the current iOS release. If your device cannot run iOS 26, enable Lockdown Mode.
But the deeper implications are harder to address through individual action. Coruna confirms what security researchers have argued for years: the commercial surveillance industry creates systemic risks that extend far beyond their intended targets. When a government-grade iPhone hacking toolkit ends up on Chinese cryptocurrency scam sites, the risk is no longer limited to dissidents and journalists. It includes anyone who visited a compromised website on a vulnerable iPhone.
The iVerify team has made their detection capabilities available through their mobile security app, which can scan an iPhone for indicators of compromise consistent with known exploit kits including Coruna. The company reports it has been detecting Coruna infections in the wild since early 2025 in small numbers - but the scale only became apparent after Google's full disclosure.
One dimension that remains unclear is what happened to the data collected by the Russian espionage campaign against Ukrainian users. CERT-UA worked with Google to clean up the compromised websites, but the devices that were successfully infected before the cleanup remain compromised until they are wiped and restored. Any Ukrainian activist, official, or civilian who visited the wrong website on an older iPhone in summer 2025 may still be running a device fully controlled by Russian intelligence.
That's not a hypothetical concern. It is a concrete consequence of how government cyberweapons are built, sold, and eventually abandoned to the wild.
The EternalBlue Warning
When iVerify's Rocky Cole invoked EternalBlue, he was making a specific and serious claim. Not just that Coruna is dangerous - but that it represents a turning point in mobile security equivalent to the 2017 NSA tool leak that changed Windows security forever.
EternalBlue wasn't just a powerful exploit. It was a demonstration that NSA-developed capabilities could be weaponized by anyone, that the NSA's secret exploit arsenal wasn't actually contained, and that the collateral damage from these tools could far exceed anything their developers intended. The $10 billion in NotPetya damages fell overwhelmingly on civilian organizations - hospitals, shipping companies, manufacturers - not on intelligence targets.
Coruna has the same DNA. Google explicitly warns that the techniques in the toolkit can be "reused and modified with newly identified vulnerabilities" - meaning even if Coruna's specific CVEs are patched, the framework architecture and the exploitation techniques themselves remain in the wild, available for any threat actor to adapt with newly discovered vulnerabilities.
The scale of affected devices gives this weight. There are approximately 1.5 billion active iPhones in use globally. iOS 26 adoption rates typically reach about 70-75% within six months of release - meaning hundreds of millions of devices remain on older versions at any given time. Coruna's coverage of iOS 13 through 17.2.1 encompasses the vast majority of those unpatched devices.
Security researchers at Project Zero, Google's elite vulnerability research team, have separately noted that the exploitation techniques in Coruna represent advances over previously documented iOS attacks - specifically the PAC (Pointer Authentication Code) bypass techniques, which Apple introduced as a hardware-level security mitigation. Coruna includes multiple PAC bypass components (codenamed breezy, seedbell) that work across a wide range of iOS versions. Those techniques are now documented and will appear in future exploit kits.
The proliferation concern isn't just about Coruna specifically. It's about what happens to the mobile security ecosystem when state-grade exploitation techniques enter the general criminal market. EternalBlue showed what that looks like on Windows. Coruna suggests we're about to find out what it looks like on mobile.
"How this proliferation occurred is unclear, but suggests an active market for 'second hand' zero-day exploits. Multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities." - Google Threat Intelligence Group, March 3, 2026
What Comes Next
Google says its analysis of Coruna is ongoing and anticipates publishing additional technical specifications in future reports. The company has added all identified Coruna-related websites and domains to Safe Browsing, which protects Chrome and other browsers using the Safe Browsing API from known malicious sites. But that coverage is inherently reactive - it protects against known infrastructure, not future deployments using Coruna techniques against new targets.
For the US government, the political dimensions of a potential NSA-linked tool appearing in a Russian espionage campaign against Ukraine are awkward at the best of times - and this is not the best of times. The current administration has been navigating the Iran conflict while simultaneously managing its relationship with the AI industry and surveillance policy. There has been no official US government comment on the Coruna disclosure.
The surveillance vendor industry will face renewed scrutiny. Coruna provides a concrete case study for regulators and legislators who want to restrict or ban commercial spyware: here is documented evidence that tools sold to government customers ended up in the hands of both foreign state adversaries and organized criminals. Whatever the original customer's intentions, the downstream harm is real and measurable.
For iPhone users, the prescription is clear but limited. Update immediately. Enable Lockdown Mode if you're at elevated risk. Check iVerify's detection tools if you're concerned your device may already be compromised. Understand that if you were running an older iPhone and visited any compromised website over the last year, your device may have been targeted.
And understand that the system that created this problem - the commercial surveillance industry, the government appetite for offensive cyber capabilities, the lack of controls on what happens to those capabilities after they're sold - is entirely intact. Coruna is not the last of its kind. It is a preview of what the mobile security landscape looks like as state-grade cyberweapons continue to flow down the capability hierarchy.
EternalBlue took eighteen months from NSA leak to global catastrophe. Coruna's timeline may be faster. The criminals already have it.
Get BLACKWIRE reports first.
Breaking news, investigations, and analysis - straight to your phone.
Join @blackwirenews on Telegram