iPhone Apocalypse: Government-Grade Hacking Tools Unleashed on the Public

Key Takeaways

• Highly potent iPhone hacking tools, dubbed Coruna, are now in the hands of cybercriminals.
• The exploit kit targets iPhones running iOS versions 13 through 17.2.1, exploiting a chain of 23 vulnerabilities.
• Evidence suggests the tools may have originated from a U.S. government source, highlighting the risk of leaked state-sponsored exploits.
• The Coruna kit is being used in diverse attacks, ranging from espionage against Ukrainian users to financially motivated hacks in China.
• This incident underscores the growing market for 'secondhand' exploits and the difficulty of containing powerful hacking tools once they are developed.

The security landscape has been shaken by the revelation that a powerful suite of iPhone hacking tools, previously associated with government use, is now actively being deployed by cybercriminals. This exploit kit, known as Coruna, represents a significant threat to iPhone users, particularly those running older versions of iOS. The discovery highlights the inherent risks in developing offensive cyber capabilities, as these tools can easily fall into the wrong hands, with devastating consequences.

Google's security researchers initially uncovered the Coruna exploit kit in February 2025, while investigating a surveillance vendor attempting to deploy spyware on behalf of a government client. Subsequent investigations revealed the same toolkit being utilized in a large-scale espionage campaign targeting Ukrainian users, allegedly by a Russian-backed group. Further analysis revealed a financially motivated hacker in China also leveraging the Coruna kit, demonstrating its widespread availability and appeal to diverse threat actors.

The Coruna exploit kit is incredibly sophisticated, bypassing iPhone security measures simply by luring users to a malicious website – a technique known as a 'watering hole' attack. Once a user visits the infected site, the kit exploits a chain of 23 distinct vulnerabilities to gain complete control of the device. The affected iPhones range from models running iOS 13 up to version 17.2.1, released in December 2023, meaning a wide range of users are potentially at risk.

The origin of the leaked tools remains a subject of intense speculation. iVerify, a mobile security firm, has conducted reverse engineering analysis of the Coruna kit and has drawn parallels to hacking tools previously attributed to the U.S. government. While definitive proof remains elusive, this association raises serious questions about the security protocols surrounding government-developed cyber weapons and the potential for these tools to be repurposed for malicious activities.

The incident echoes previous instances of government hacking tools leaking into the public domain. The most notable example is the EternalBlue exploit, developed by the U.S. National Security Agency (NSA), which was stolen and subsequently used in the devastating WannaCry ransomware attack. These events underscore the inherent risks in stockpiling offensive cyber capabilities, as the potential for leakage and misuse is ever-present.

This event also highlights the emerging market for 'secondhand' exploits. As governments and other entities develop and deploy sophisticated hacking tools, a market emerges for these exploits to be resold and reused by financially motivated cybercriminals. This phenomenon dramatically increases the accessibility of advanced hacking techniques, making it easier for malicious actors to target vulnerable systems and individuals.

Why it matters

The proliferation of the Coruna exploit kit represents a significant escalation in the cyber threat landscape. The fact that government-grade hacking tools are now being used by cybercriminals underscores the urgent need for improved security measures, both at the device level and in the development and handling of offensive cyber capabilities. This incident serves as a stark reminder that the tools designed to protect us can also be turned against us, and that constant vigilance and proactive security measures are essential to mitigate the risks.