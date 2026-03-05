Share





A powerful new hacking toolkit dubbed “Coruna” has compromised thousands of iPhones globally, according to a new report released by the Google Threat Intelligence Group (GTIG).

The exploit kit, which targets devices running iOS 13.0 through 17.2.1, contains 23 distinct vulnerabilities and five complete “attack chains” capable of silently seizing control of a device with no user interaction required.

The discovery has sparked a geopolitical firestorm. Google tracked the toolkit’s evolution from a private surveillance vendor in early 2025 to UNC6353, a suspected Russian espionage group. These state-sponsored actors deployed Coruna in “watering hole” attacks, hiding malicious code within common components of Ukrainian websites to infect unsuspecting users.

The threat has since proliferated further. GTIG later observed the complete kit being used by UNC6691, a financially motivated Chinese cybercriminal group.

These actors embedded the exploits in fake cryptocurrency and betting platforms to drain digital wallets and steal sensitive financial data. Experts estimate that the criminal campaign alone may have infected upwards of 42,000 devices.

‘Mobile EternalBlue’ moment?

The origin of Coruna has prompted comparisons to EternalBlue, the infamous NSA tool that leaked and fuelled global ransomware attacks.

Cybersecurity firm iVerify noted that Coruna shares “hallmarks” with tools previously attributed to the US government, including modules seen in the 2023 “Triangulation” hacks. While its exact lineage remains a mystery, researchers suggest it may have been sold into the “second-hand” zero-day market by unscrupulous brokers.

“This is the first example we’ve seen of likely US government tools spinning out of control and being used by both adversaries and criminals,” said Rocky Cole, co-founder of iVerify.

How to Stay Safe

While the exploit is highly sophisticated, it is not invincible. Google and Apple confirmed that iOS 26 and recent patches for older versions are fully protected. Users are urged to:

Update immediately: Install the latest iOS security patches.

Enable Lockdown Mode: Coruna reportedly abandons attack attempts if this high-security setting is detected.

Exercise caution: Avoid suspicious financial or crypto-related websites.

