A powerful iPhone hacking toolkit capable of silently compromising devices has moved from a government-linked surveillance operation into espionage campaigns and criminal cryptocurrency theft networks, according to research from Google and mobile security firm iVerify.
The toolkit, known as Coruna, contains a collection of advanced exploits designed to bypass iPhone security protections when a user simply visits a malicious webpage. Researchers say the framework includes five complete attack chains built from 23 separate vulnerabilities in Apple’s iOS operating system. These chains enable attackers to compromise devices without requiring the victim to download software or interact with anything beyond loading the page.
Google’s Threat Intelligence Group traced the toolkit through several campaigns during 2025, beginning with a surveillance vendor that attempted to install spyware on an iPhone for a government client. The researchers did not identify the government involved. The same toolkit appeared months later in a suspected Russian espionage operation targeting users in Ukraine and later in a financially motivated hacking campaign operating Chinese-language financial scam websites designed to steal cryptocurrency.
Google first identified Coruna in February 2025 during the surveillance vendor operation. The toolkit was deployed while attempting to hack a phone with spyware on behalf of a government customer. Researchers described the framework as unusually complex because it combines multiple exploitation techniques capable of bypassing an iPhone’s built-in defenses.
Five months later, the toolkit resurfaced in an espionage campaign carried out by a suspected Russian spy group. In that operation, attackers embedded the exploit code inside a visitor-counting component used on Ukrainian websites. Compromised sites included industrial equipment retailers, local service providers, and e-commerce shops. The attackers used geolocation filtering to serve the exploit only to selected visitors, enabling targeted surveillance activity.
Later in 2025, the toolkit appeared again in a different environment. A financially motivated hacking group operating from China deployed Coruna across a network of fraudulent financial websites, including counterfeit cryptocurrency exchanges and gambling platforms written in Chinese. Unlike the espionage campaign that filtered targets by location, the criminal operation attempted to infect any iPhone user visiting the pages.
The framework performs what security researchers describe as a watering hole attack. When a user opens an infected webpage, the exploit code fingerprints the device to determine its exact model and iOS version. The system then selects an appropriate exploit chain from its library of vulnerabilities and launches the attack automatically.
Coruna targets iPhones running iOS 13 through iOS 17.2.1, versions released between September 2019 and December 2023. The exploits rely on weaknesses in Apple’s WebKit browser framework, which powers the Safari browser. Researchers said there are no confirmed techniques in the toolkit that target Chrome users on iOS.
Inside the toolkit are exploit modules with internal codenames including Cassowary, Photon, Neutron, Gruber, Sparrow, and others. The modules exploit different parts of iOS security, including WebKit remote code execution flaws, sandbox escape vulnerabilities, and kernel privilege escalation weaknesses.
Two exploits inside Coruna, Photon and Gallium, target the same vulnerabilities previously used in Operation Triangulation, a sophisticated iPhone hacking campaign uncovered in 2023 by Russian cybersecurity firm Kaspersky. The operation targeted several iPhones belonging to Kaspersky employees. Russian officials claimed the attacks were carried out by the United States National Security Agency, and the U.S. government did not respond to that claim.
Mobile security company iVerify conducted its own investigation after obtaining a version of Coruna from one of the infected Chinese websites. The company identified similarities between the toolkit and exploitation modules previously linked to U.S. government hacking operations. Based on those similarities, iVerify concluded that the framework may have originated as a hacking toolkit developed for or purchased by the U.S. government.
Rocky Cole, cofounder of iVerify, described the code as highly complex and expensive to build.
“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” Cole said.
He said the case represents a situation where tools believed to be associated with U.S. government hacking activity appear to have spread into the hands of foreign intelligence services and criminal groups.
“This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups.”
The criminal version of Coruna deployed in the Chinese campaign included additional malware designed to steal digital currency. Once the exploit chain succeeded, a loader called PlasmaLoader installed itself into powerd, a root-level iOS system daemon. From that position the malware searched for cryptocurrency wallet applications on the device.
The wallet apps targeted included MetaMask, Trust Wallet, Phantom, Exodus, TonKeeper, and more than a dozen other wallet programs. The malware could also scan images stored on the phone to decode QR codes, and it searched Apple Notes and memos for seed phrases and banking-related keywords.
Internal logging strings within the malware were written in Chinese. Some comments in the code contained emojis in a format researchers said suggests possible generation using large language models.
Researchers found that the malware components added by the cybercriminal group were far less polished than the original exploit framework. Spencer Parker, chief product officer at iVerify, described the core toolkit as exceptionally well written.
“My God, these things are very professionally written,” Parker said when describing the exploits in Coruna.
The financial theft components attached by the criminals appeared comparatively crude. Parker said those additions were “poorly written” compared with the exploit framework itself.
The infrastructure supporting the attacks included multiple technical protections. Binary payloads were encrypted using ChaCha20, packaged in a custom file format containing a 0xf00dbeef header, and compressed using the Lempel–Ziv–Welch algorithm. Resource files used during exploitation were referenced through URLs hashed using SHA-256 values derived from unique cookies.
The malware transmitted stolen data through HTTPS connections encrypted with AES. It also contained a domain generation algorithm that produced backup communication servers if primary command-and-control systems were disabled. The algorithm used the seed string “lazarus” to generate fallback .xyz domains.
iVerify analyzed network traffic associated with the criminal campaign to estimate how many devices were compromised. Working with a partner that has access to large volumes of network data, researchers counted visits to a command-and-control server used in the Chinese operation. Based on those connections, iVerify estimates that approximately 42,000 devices were infected during that campaign alone.
The number of victims in earlier campaigns remains unknown. This includes the Ukrainian users exposed through compromised local websites during the suspected Russian espionage operation.
Google researchers said Coruna’s spread suggests the existence of a marketplace where exploitation frameworks are resold after their original use. Their report described the situation as evidence of an active market for “second hand” zero-day exploits, referring to previously unknown vulnerabilities that have not yet been patched.
“These zero-day and exploit brokers tend to be unscrupulous,” Cole said. “They sell to the highest bidder and they double dip. Many don’t have exclusivity arrangements. That’s very likely what happened here.”
Cole also said the architecture of the toolkit suggests it was written as a single cohesive framework rather than assembled from separate pieces of code.
“The framework holds together very well,” he said. “It looks like it was written as a whole. It doesn’t look like it was pieced together.”
Cole previously worked at the U.S. National Security Agency but said his analysis relied only on the technical characteristics of the code and not on his past government experience.
The growth of exploit brokerage markets has drawn attention in recent legal cases. Peter Williams, an executive of the U.S. government contractor Trenchant, received a seven-year prison sentence after selling hacking tools to the Russian exploit broker Operation Zero between 2022 and 2025. Court documents stated that Trenchant supplied hacking technology to the U.S. intelligence community and to members of the Five Eyes alliance, which includes the United States, United Kingdom, Australia, Canada, and New Zealand. The documents did not identify the specific tools involved or the devices targeted.
Cole compared the Coruna situation to the release of EternalBlue, a Windows hacking exploit stolen from the U.S. National Security Agency and leaked in 2017. After its release, the exploit was used in destructive cyberattacks including North Korea’s WannaCry ransomware outbreak and Russia’s NotPetya attack.
“This is the EternalBlue moment for mobile malware,” Cole said.
Apple has addressed the vulnerabilities used by Coruna in newer software updates. Google reported that the exploits work only against devices running iOS 13 through iOS 17.2.1 and that Apple patched the weaknesses in the latest operating system release, iOS 26.
Researchers also found that the toolkit checks whether a device has Apple’s most restrictive security setting enabled. If Lockdown Mode is active, the exploit chain stops and does not attempt to compromise the device.
Google declined additional comment beyond the report it published on the research. Apple did not immediately respond to requests for comment regarding the findings from Google and iVerify.
![data-breach-trends-—-progress,-challenges,-and-what’s-next-[q&a]](https://thetechbriefs.com/wp-content/uploads/2024/12/644-data-breach-trends-progress-challenges-and-whats-next-qa.jpg)
