Cybersecurity experts have revealed a set of advanced hacking tools known as Coruna, which can compromise iPhones running older versions of iOS. These tools have reportedly transitioned from a government agency to the hands of cybercriminals, raising concerns about their misuse.
Initially discovered by Google in February 2025 during an attempt by a surveillance vendor to exploit a target's phone, the same exploit kit was later observed in attacks against Ukrainian users orchestrated by a Russian espionage group. Additionally, a financially motivated hacker in China has also employed these tools.
Mobile security firm iVerify has analyzed the Coruna toolkit, suggesting its origins may be linked to U.S. government hacking tools due to notable similarities. The toolkit is particularly dangerous, capable of breaching iPhone defenses through tactics like “watering hole” attacks. It can exploit up to 23 vulnerabilities to breach devices, impacting models running iOS versions from 13 to 17.2.1, which was released in December 2023.
This situation underscores the risk of government-developed exploits leaking into the illicit market, potentially enabling broader malicious use. As noted by iVerify, the proliferation of such tools among bad actors presents ongoing security challenges.