A shadowy hacking tool shows why skipping iPhone updates can be a dangerous gamble. On Tuesday, security researchers disclosed “Coruna,” a software kit that leverages nearly two dozen iOS exploits to hack vulnerable iPhones.
The Coruna exploit kit uses 23 hacking techniques to remotely target iPhones, according to Google’s Threat Intelligence Group. Most recently, the exploit kit was running on a large set of fake Chinese websites, attempting to attack any iPhones that loaded up the pages, regardless of location.
Collectively, Coruna taps into “five full iOS exploit chains” from the 23 hacking techniques. The good news is that Coruna can only exploit previously patched vulnerabilities in iOS 13.0 through iOS 17.2.1, which arrived in December 2023. The Apple operating system is now on iOS 26.
Interestingly, Google first spotted an unnamed “customer of a surveillance vendor” using Coruna in February 2025, suggesting a government buyer of spyware was involved.
(Credit: Google)
Then, in July, Google discovered a suspected Russian espionage group hosting the exploit kit on compromised Ukrainian websites. “The framework was identical and delivered the same set of exploits,” but did so only on select iPhone users from a specific geolocation, Google said.
In December, Coruna was spotted again, but this time for cybercrime. A financially motivated Chinese hacking group was using it on websites, including those for fake cryptocurrency exchanges. Except this time, the exploit kit was deployed against iOS users indiscriminately. A pop-up on the websites would even recommend users visit the page using iOS.
(Credit: Google)
The findings suggest the scary likelihood that a well-funded spyware vendor developed Coruna and sold it off, leading to its proliferation. Google adds that Coruna has even been using some “non-public exploitation techniques and mitigation bypasses” when it targets vulnerable iPhones. The company says its analysis remains ongoing, so 11 of the exploits have yet to receive an official CVE ID number. In addition, Google doesn’t know if five of the non-public exploits have been patched, although the attacks were designed to target older versions of iOS.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
(Credit: Google)
Coruna’s ultimate goal is to secretly deliver a program dubbed “PlasmaLoader,” which is designed to run in the background, but has root access to iOS. Google recovered the payload from the fake Chinese websites running Coruna and found PlasmaLoader can run additional modules and look for and collect snippets of text from an infected iPhone, likely to steal financial information.
Security vendor iVerify also tracked the Coruna kit to a Chinese web domain two weeks ago, and found it could enable attacks requiring only one tap from the user. The exploit kit was also designed to target vulnerabilities in Apple’s Safari browser.
Recommended by Our Editors
“Anyone who would have gone to the website with a vulnerable iOS version could get infected. This is not typical for targeted attacks used by nation-states, but rather e-criminal groups. We were able to reinfect our devices multiple times,” the company’s report added.
iVerify also told Wired that there are clues in Coruna’s computer code suggesting the US government may have once been involved in developing the exploit kit. It’s also possible that Coruna successfully infected tens of thousands of Chinese users since an estimated 5% of iPhone users are still running older, vulnerable versions of iOS. (That said, Android phones have long dominated the Chinese market.)
Apple didn’t immediately respond to a request for comment. In the meantime, Google emphasized: “The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices to the latest version of iOS.”
If you can’t update to the newest iOS, Google advises activating the Lockdown Mode, which Apple introduced in 2022 to protect iPhone users from spyware threats.
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
