Google’s Threat Intelligence Group (GTIG) has uncovered a powerful iPhone hacking toolkit capable of infecting devices when a user visits a malicious website, meaning malware can be transferred without anything being clicked on by the target.

The framework, dubbed “Coruna,” includes five full iOS exploit chains and 23 vulnerabilities targeting iPhones running iOS 13 through 17.2.1. Researchers said some of the exploits rely on previously unseen techniques to bypass Apple’s security protections.

GTIG first identified parts of the toolkit in early 2025 in an exploit chain used by a customer of an unnamed commercial surveillance vendor. The code used a JavaScript framework that fingerprinted devices to determine the iPhone model and operating system version before delivering a tailored exploit.

The same framework later appeared on compromised Ukrainian websites in mid‑2025. Google attributed that campaign to UNC6353, a suspected Russian espionage group, which used hidden iframes to selectively target visiting iPhone users.

Later in the year, researchers discovered the toolkit again on hundreds of Chinese‑language websites tied to cryptocurrency and finance scams. Those sites attempted to lure victims to visit using iOS devices before injecting the exploit kit.

The report said vulnerabilities used by Coruna have since been patched in newer versions of Apple’s mobile operating system and urged users to update their devices. The exploit kit does not work against the latest versions of iOS.

Possible U.S. origins

While GITG’s report does not identify the original surveillance vendor customer or who may have developed the kit, researchers for mobile security firm iVerify researchers said elements of the code suggest possible U.S. origins.

“It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the U.S. government,” iVerify co-founder Rocky Cole told WIRED. He added that it was the first example uncovered by the firm of “very likely U.S. government tools” being adopted by adversaries and cybercriminal groups after “spinning out of control.”



iVerify estimated roughly 42,000 devices in just one campaign were compromised after analyzing traffic to command‑and‑control servers linked to Chinese‑language scam websites distributing the exploits.

The toolkit targets vulnerabilities in Apple’s WebKit browser engine and includes a loader that deploys different exploit chains depending on the device model and operating system version. Payloads are encrypted, compressed and delivered in a custom file format designed to evade detection.

“iPhone users are strongly urged to update their devices to the latest version of iOS,” GTIG said, adding that Apple’s Lockdown Mode can provide additional protection if updating is not possible.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。