Google Discovers Pervasive Exploit Kit Targeting iPhones
In a significant revelation, Google has identified a sophisticated exploit kit named Coruna, which has been targeting iPhones running iOS versions 13.0 through 17.2.1. This advanced toolkit employs a range of intricate security bypass techniques, facilitating its operations and enhancing its effectiveness against Apple’s mobile operating system.
Originally crafted for commercial surveillance purposes, Coruna’s provenance has evolved over time. It transitioned from being utilized by commercial surveillance groups to being adopted by state-sponsored actors. Most alarmingly, it has now fallen into the hands of cybercriminals, leading to what is considered a rare instance of elite-grade spyware being leveraged for mass exploitation. This transition underscores a troubling trend in cybersecurity, where sophisticated tools originally designed for a select group of actors become widely available to less discerning threat groups.
The Google Threat Intelligence Group has conducted a thorough analysis of the Coruna framework, revealing that it comprises a staggering 23 individual exploits along with five complete exploit chains. Notably, while the toolkit remains a significant threat, it has been rendered ineffective against the most recent updates pushed out by Apple. The technical depth displayed by Coruna is particularly concerning, as it leverages non-public techniques and demonstrates seamless integration throughout its various components.
The emergence of the Coruna toolkit marks a crucial moment for cybersecurity practitioners, as it signifies a leap forward in the technical capabilities available to a diverse array of threat actors. Security researchers first detected signs of the kit in early 2025, alerting users and organizations to the looming threat.
One of the particularly alarming aspects of this situation is the evolution of Coruna. The toolkit’s journey—from commercial surveillance to state-sponsored groups and, finally, to financially motivated attackers based in China—highlights the growing secondary market for zero-day vulnerabilities. This market allows once-exclusive cyber weapons to be recycled and sold, thereby empowering less sophisticated groups to launch high-level attacks specifically targeting Apple users.
In-depth technical analysis illustrates that Coruna utilizes a JavaScript-based system to fingerprint its target device. By accurately identifying the specific iPhone model and software version, the toolkit ensures that it deploys the most effective code for that hardware configuration. This precision enables Coruna to overshadow modern security features, including pointer authentication codes, which are designed to thwart the unauthorized execution of commands.
A pivotal vulnerability exploited by the Coruna kit lies within WebKit—the underlying engine that powers the Safari browser. The toolkit takes advantage of a type confusion vulnerability, enabling attackers to execute remote code on a device merely by tricking the user into visiting a malicious website. Although Apple proactively released patches to address these vulnerabilities in early 2024, the Coruna kit remains a danger for users who have yet to update to iOS 17.3 or newer versions.
Security experts from iVerify have observed that some structural elements of Coruna mirror those of older frameworks associated with Western government operations. This suggests a rich lineage of ongoing development, coupled with a striking shift from highly targeted surveillance methods toward broad, mass-scale deployment strategies. This shift inherently elevates the risk to consumer mobile security.
The discovery of the Coruna exploit kit acts as a critical reminder of the need for users to engage in rapid software updates. Even the most sophisticated exploit chains eventually lose their potency once a patch is widely adopted; the challenge remains in encouraging users to take action promptly. The implications of this toolkit’s existence reverberate broadly across the cybersecurity landscape, serving as a wake-up call for individuals and organizations alike to remain vigilant against emerging threats.
As the cybersecurity community continues to track the development of exploit tools like Coruna, the focus must remain on proactive strategies to safeguard sensitive information and maintain the integrity of mobile devices. The evolution of such exploit kits represents an ongoing battle between security and exploitation, and the urgency for updated defenses has never been more pronounced.