Sophisticated "Coruna" iPhone Exploit Kit Linked to US Intelligence Leaked to Global Espionage and Cybercrime Networks

Elite "Coruna" iPhone hacking kit linked to US tools leaks to Russian spies and Chinese criminals. Over 42,000 devices infected via Safari vulnerabilities.

By: AXL Media

Published: Mar 5, 2026, 4:17 AM EST

Source: The information in this article was sourced from BetaNews

Global Proliferation of Elite Surveillance Tools Threatens Mobile Security

The digital landscape faced a major upheaval on Thursday as researchers from Google and iVerify revealed the widespread leak of "Coruna," a professional-grade iPhone exploit kit. Originally identified in early 2025 during a government-backed surveillance operation, the toolkit has since bypassed its original handlers to appear in Russian espionage campaigns and Chinese cryptocurrency theft rings. According to security analysts, Coruna utilizes a complex library of 23 vulnerabilities to build five distinct attack chains, allowing hackers to compromise iPhones silently. This development marks a rare instance where elite tools, likely developed with multi-million dollar budgets, have "spun out of control" to be utilized by global adversaries and financially motivated criminals.

Sophisticated Zero Click Architecture Bypasses Modern iOS Defenses

Coruna operates as a "watering hole" framework, infecting legitimate websites to fingerprint and attack visiting devices automatically. The toolkit targets iPhones running older software versions, specifically iOS 13 through iOS 17.2.1, by exploiting weaknesses in Apple’s WebKit browser engine. When a target loads a compromised page, the system identifies the device model and selects the most effective exploit chain to execute a remote code execution. Security experts noted that the framework is unusually cohesive, suggesting it was written as a single, professional software package rather than a collection of disparate hacks. Notably, devices with Apple's "Lockdown Mode" enabled remained protected, as the toolkit is programmed to abort attacks when it detects this high-security setting.

Espionage Campaigns Target Ukrainian Infrastructure and Industry

Following its initial discovery, the Coruna toolkit resurfaced in a suspected Russian intelligence operation targeting Ukrainian citizens. Attackers embedded the malicious code within visitor-counting components on various Ukrainian e-commerce and industrial retail sites. To maintain a low profile, the group utilized geolocation filtering to serve the exploit exclusively to selected visitors. According to Google’s Threat Intelligence Group, this targeted approach allowed the actors to conduct surveillance on specific individuals without alerting the broader cybersecurity community. This phase of...