iPhone exploit kit Coruna moved from espionage to criminal use, researchers say
Mar 5th 2026
Google and independent researchers describe Coruna, a sophisticated iPhone exploit kit that used 23 vulnerabilities to install malware via websites, was used in both espionage and criminal campaigns, and may have originated with a surveillance contractor but its provenance is not proven.
- Google calls the toolkit Coruna and says it uses five exploit chains that together exploit 23 iOS vulnerabilities.
- Coruna can silently infect iPhones when users visit a compromised website and the exploited bugs affect iOS 13 through 17.2.1, with Apple patching them in iOS 26.
- Google links early components to a customer of a surveillance company and later sightings to a suspected Russian espionage campaign targeting Ukrainian sites.
- iVerify found a criminal version that infected Chinese-language crypto and gambling sites to steal cryptocurrency and estimates about 42,000 devices were compromised by that campaign.
- Code overlaps with previously reported Triangulation modules lead some researchers to suspect a well resourced, likely state level author and possibly a US contractor, but the original source is not confirmed.
- Researchers warn the toolkit likely circulated through a market for zero day exploits, increasing the risk that advanced government quality tools leak to adversaries and cybercriminals.