Earlier this week, the Google Threat Intelligence Group (GTIG) published a report on an exploit kit specifically targeting older Apple iPhones. Those with an up-to-date iOS may only feel momentarily smug as it turns out the kit, called Coruna, can sink its hooks into a wide range of phones—though the malicious range of this exploit kit is far from the worst wrinkle in this story.
GTIG says it tracked Coruna’s use throughout 2025, beginning with “highly targeted operations initially conducted by a customer of a surveillance vendor.” However, the exploit framework is unlikely to have been built by cybercriminals alone, and may originate from hacking tools used by the US government.
Device security company iVerify has recently issued its own report on what it’s calling the ‘First Known Mass iOS Attack,’ claiming that the exploit chain at the centre of Coruna “has similarities to previous frameworks developed by threat actors affiliated with the US government.”
“While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors”, says the researchers.
GTIG says Coruna consists of “five full iOS exploit chains and a total of 23 exploits,” two of which bear a striking resemblance to iOS exploits “that were also used as zero-days as part of Operation Triangulation.” Triangulation was a 2023 hacking operation targeting Russian cybersecurity firm Kaspersky. The Russian government alleged the NSA was behind it, though the US government has neither confirmed nor denied this.
(Image credit: Getty images – boonchai wedmakawand)
The full Coruna framework can be levelled at iPhone models running iOS version 13.0 (released in September 2019), all the way up to version 17.2.1 (released in December 2023). Coruna can quietly infect what is potentially a lot of phones, and then be used to harvest swathes of sensitive data (including photos and emails), as well as steal cryptocurrency.
GTIG was able to extract the full exploit kit from an attack by “UNC6691, a financially motivated threat actor operating from China.” But the team additionally reported it also saw the exploit framework deployed in earlier attacks against Ukrainian users by suspected Russian threat actor UNC6353.
This is cause for concern all on its own as it suggests cybercriminals are trading tips on how to carry out malicious attacks internationally, and that there’s “an active market for ‘second hand’ zero-day exploits.” The alleged US government origin lore makes that all the more dreadful.
IVerify’s report sums it up, saying, “Despite assurances from commercial spyware developers and the governments who purchase them that use will be limited to counterterrorism, only against criminals and by non-authoritarian administrations, the reality has begun to settle in: once spyware or an exploit capability is sold, control over the end customer is lost.”
To put it another way, and to paraphrase Jensen Huang, that’s why I’d argue manufacturers of consumer electronics like phones and PCs shouldn’t offer up ‘secret backdoors’—you can’t guarantee who exactly will end up with the keys.
