iPhone hacking toolkit tied to espionage and crypto scams uncovered

Written by Jon CuthbertPublished Mar. 4 2026Last Updated Mar. 4 2026

Share

Security researchers have identified a powerful iPhone hacking toolkit capable of infecting devices simply when users visit malicious websites.

The discovery was reported by Google’s Threat Intelligence Group, which warned the exploit kit could silently deliver malware without requiring victims to click anything.

The toolkit, known as Coruna, contains multiple exploit chains designed to target Apple devices running iOS versions from iOS 13 through 17.2.1.

Investigators said the framework includes five full exploit chains and at least 23 vulnerabilities affecting Apple’s mobile operating system.

Some of the vulnerabilities reportedly rely on previously unseen methods that bypass Apple’s built-in security protections on affected devices.

Researchers first observed parts of the toolkit in early 2025 when it appeared in an exploit chain linked to a customer of a commercial surveillance vendor.

The malicious framework uses JavaScript code that identifies a visitor’s iPhone model and operating system before delivering a tailored attack.

Later in 2025, the same technology surfaced on compromised Ukrainian websites targeting specific iPhone users through hidden webpage elements.

Google attributed that campaign to a suspected Russian espionage group known as UNC6353, which allegedly used the exploit system to spy on selected targets.

Researchers then discovered the toolkit spreading through hundreds of Chinese-language websites associated with cryptocurrency and financial investment scams.

These scam sites attempted to attract users browsing with iPhones before secretly deploying the exploit framework onto vulnerable devices.

Security analysts estimate that roughly 42,000 devices were compromised during one campaign after monitoring command-and-control servers connected to the scam infrastructure.

The Coruna toolkit specifically attacks weaknesses in Apple’s WebKit browser engine and dynamically selects the correct exploit chain for each targeted device.

Attack payloads are encrypted and compressed before being delivered through a customised file format designed to avoid detection by security systems.

Mobile security company iVerify suggested the toolkit’s engineering sophistication may indicate origins linked to advanced government cyber programmes.

“It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the U.S. government,”

Rocky Cole said.

“It was the first example uncovered by the firm of very likely U.S. government tools being adopted by adversaries and cybercriminal groups after spinning out of control,”

He added.

Researchers noted that all vulnerabilities used by the toolkit have now been patched in newer versions of Apple’s iOS software.

Experts strongly recommend iPhone users update their devices immediately and consider enabling Apple’s Lockdown Mode for additional protection.

iPhone hacking toolkit tied to espionage and crypto scams uncovered

Frequently asked questions

What is the Coruna iPhone hacking toolkit discovered by researchers?

How were Apple iPhones targeted by the Coruna exploit kit?

How many iPhones were reportedly compromised in the Coruna hacking campaign?

What vulnerabilities in Apple devices did the Coruna toolkit exploit?

Why does the Coruna hacking discovery matter for investors following Apple (NASDAQ: AAPL)?