A sophisticated iPhone hacking toolkit, potentially originating from a US government contractor, has leaked into the hands of Russian spies and now cybercriminals. The tool, dubbed “Coruna” by Google researchers, allows for the silent installation of malware on iPhones simply by visiting a compromised website. This marks a rare and alarming instance of advanced hacking capabilities escaping control and being repurposed for espionage and financial crime.
From State-Sponsored Espionage to Crypto Theft
The toolkit was first observed in use by suspected Russian intelligence operatives targeting Ukrainian citizens. Later, it resurfaced in a purely profit-driven campaign, infecting Chinese-language cryptocurrency and gambling sites to steal funds. Security experts suspect that the underlying code may have been originally developed for or acquired by the US government, raising serious questions about the security of nation-state cyber tools.
Coruna’s Capabilities: A Rare Collection of Zero-Day Exploits
Coruna leverages 23 distinct vulnerabilities in iOS, an unusually high number suggesting its creation by a well-funded, state-sponsored hacking team. Google’s report reveals that the toolkit includes five complete hacking techniques capable of bypassing iPhone defenses without user interaction. This means that even fully updated iPhones running the latest software are vulnerable if they visit an infected site.
Evidence Points to US Origins
Researchers at iVerify found striking similarities between Coruna’s code and hacking operations previously linked to the US National Security Agency (NSA), specifically the “Triangulation” campaign targeting Kaspersky, a Russian cybersecurity firm. The code’s structure and sophistication suggest a single, highly professional developer—a level of polish rarely seen in amateur hacking operations.
“This is the first example we’ve seen of very likely US government tools…spinning out of control and being used by both our adversaries and cybercriminal groups,” says Rocky Cole, co-founder of iVerify.
The EternalBlue Moment for Mobile
The proliferation of Coruna is being compared to the leak of “EternalBlue,” an NSA-developed Windows hacking tool that was stolen and weaponized in devastating cyberattacks like WannaCry and NotPetya. The availability of such powerful mobile hacking tools could lead to widespread exploitation, especially among older iOS versions.
Mitigation and Impact
Apple has patched the vulnerabilities exploited by Coruna in iOS 26, meaning devices running earlier versions (iOS 13 through 17.2.1) remain at risk. However, the toolkit’s existence underscores a dangerous reality: even the most secure devices are vulnerable when advanced hacking tools fall into the wrong hands. Initial estimates suggest that Coruna may have already infected tens of thousands of devices, with the potential for much wider damage.
The fact that a highly sophisticated tool developed by a state-sponsored actor has leaked into the criminal ecosystem highlights the risks inherent in the zero-day exploit market. Brokers selling these tools to the highest bidder ensure that they will inevitably end up in the hands of adversaries and cybercriminals, making it impossible to contain them. The genie, as one expert put it, is out of the bottle.
