Mass iPhone attack: government-grade iOS hacking tool falls into the hands of cybercriminals

Published: 4 March 2026
Last updated: 5 March 2026
iphones-under-attack
Image by Cybernews.

iPhones are under mass attack, with Chinese scammers, Russian spies, and other cybercriminals using government-grade iOS exploit kits. Security experts suspect that the highly sophisticated spyware escaped the US government and are warning iOS users to update their devices to the latest version.

Two separate reports warn of a new and powerful exploit kit targeting Apple iPhone models: one from Google Threat Intelligence Group (GTIG) and another from iVerify, a cybersecurity firm.

The exploit kit, dubbed “Coruna,” gives attackers five different attack sequences (exploit chains), and a total of 23 exploits – an unusually large and sophisticated arsenal.

ADVERTISEMENT

All it takes to compromise the device is for the victim to visit a website where the malicious code is injected – the kit can silently compromise iPhones running iOS versions released from 2019 through December 2023. The latest affected iOS version is 17.2.1.

“This is the first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation-state,” iVerify warns.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

Hackers around the world have been using Coruna as a “second-hand” exploit kit. Chinese scam websites have been littered with it. A Russian espionage group deployed the kit against Ukrainians.

It’s unclear how cybercriminals got their hand on this powerful toolchain, which has extensive documentation authored in native English.

“Multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities,” the researchers from GTIG warn in a report on Coruna.

Google alerts iPhone users to update their devices to the latest iOS versions, or use “Lockdown Mode.”

Wired quotes iVerify as saying that Coruna has already impacted around 42,000 devices just by financially motivated actors.

ios-expolit-kit
Image by Google.
ADVERTISEMENT

The hackers using Coruna didn’t build it – who did?

The kit was likely developed by a commercial spyware vendor that sells it to the government.

Google first tracked uses of the kit by a “customer of a surveillance vendor,” before it reached the hands of Russian espionage group hackers.

“In February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company,” Google said.

Coruna features extensive documentation, including docstrings and comments in native English, and its core value lies in a comprehensive collection of exploits targeting iOS, now addressed by Apple.

The iVerify researchers assess that Coruna is likely built by a nation-state – they found “similarities to previous frameworks developed by threat actors affiliated with the US government.”

coruna-timeline
Image by Google.

“Despite assurances from commercial spyware developers and the governments that purchase them that use will be limited to counterterrorism, only against criminals and by non-authoritarian administrations, the reality has begun to settle in, once spyware or an exploit capability is sold, control over the end customer is lost,” iVerify states in the report about “First known mass iOS attack.”

The security firm draws a parallel to the NSA’s EternalBlue exploit, which was eventually stolen, leaked, and repurposed in devastating worldwide cyberattacks, including WannaCry and NotPetya.

“While iVerify has some evidence that this tool is a leaked US government framework, that shouldn't overshadow the knowledge that these tools will find their way into the wild,” the report reads.

ADVERTISEMENT

All data is in danger

Cybercriminals are apparently mass-deploying the Coruna kit, mostly targeting pornography and cryptocurrency websites. The most advanced exploitation techniques in the kit were never public.

coruna use
Image by Google.

Once a victim visits a website with malicious code present, the kit silently checks if the device is in Lockdown Mode or the content is loaded in a private browsing window – the malware bails out in these cases.

All the user sees is the normal expected content. However, the code in milliseconds determines the iPhone model, iOS version, applicable exploit chain, fires the attack, and gives the attacker complete control of the iPhone.

Coruna exploit kit embeds several reusable modules to ease exploitation and bypass device security.

Cybercriminals use the kit to deliver PlasmaLoader, which is a financial information stealer. It can decode QR codes from images on disk, analyze text for specific keywords, pull additional modules to empty cryptocurrency wallets, and exfiltrate sensitive information from other apps.

Has my data been leaked?
Check Now

“This malware silently infects devices and automatically steals cryptocurrency and harvests sensitive data, including photographs and emails. The research found that all crypto wallets other than WhatsApp are vulnerable to this attack,” the iVerify researchers noted.

It appears that hackers used LLMs to generate some updates to the malware.

ADVERTISEMENT

Multiple threat actors are using the kit

According to the report, multiple attackers have already used the Coruna kit.

At the end of the year 2025, Google identified the malicious JavaScript code dropping the Coruna kit on “a very large set of fake Chinese websites mostly related to finance.” The scammers lure users with fake WEEX crypto exchange websites.

Previously, in summer 2025, the same JavaScript framework appeared as a hidden iframe on many compromised Ukrainian websites, ranging from industrial equipment and retail tools to local services and e-commerce websites. Google suspects that a Russia-linked espionage group, tracked as UNC6353, was responsible for the attacks.

Apple iPhone settings
Image by Shutterstock.

The technique relied on users visiting trusted but compromised websites, known as a watering hole attack.

“How this proliferation occurred is unclear, but it suggests an active market for 'second-hand' zero-day exploits. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities,” GTIG said.

Update your device to protect yourself

The vulnerabilities abused by the Coruna kit have been addressed by Apple in software updates, and both security companies recommend users update their devices.

“Generally, spyware attacks lack persistence, meaning that restarting a phone will clear the infection. However, a device can be reinfected if the user visits one of the malicious sites again,” iVerify explains.

ADVERTISEMENT

Restarting the device wipes the advanced, sophisticated malware that doesn’t write any data to storage. The experts also suggest protecting all critical accounts with two-factor authentication.

“In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security,” Google said.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT