Hacking tool with possible US origins targets outdated iPhones
Hacking tool with possible US origins targets outdated iPhones
Publish Date: 2026-03-04 04:05:00
Source Domain: www.siliconrepublic.com
iPhone users should update their device to the latest iOS version to protect against such exploits.
Outdated iPhones are being targeted by a new and powerful exploit kit called ‘Coruna’, with potential nation-state origins.
According to Google Threat Intelligence Group (GTIG), Coruna targets iPhone models running iOS 13.0 up to version 17.2.1.
Essentially, the kit infects outdated iPhones visiting certain websites. The exploit does not contain any specific targeting or one-time links, meaning anyone who visited the website with a vulnerable iOS version could get infected. You could also get re-infected multiple times.
“This is not typical for targeted attacks used by nation-states, but rather e-criminal groups,” noted iVerify.
GTIG said Coruna is a significant example of spyware tech going from commercial surveillance vendors to nation-state actors, and then to mass-scale criminal operations. While iVerify linked the exploit toolkit to the US government.
“It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” iVerify co-founder Rocky Cole said in a statement.
“This is the first example we’ve seen of very likely US government tools – based on what the code is telling us – spinning out of control and being used by both our adversaries and cybercriminal groups.” iVerify also confirmed that this is the first time mass exploitation against iOS devices has been observed in the public.
According to the cybersecurity experts, Coruna’s value lies in its comprehensive collection of iOS exploits, with the most advanced tools using non-public exploitation techniques and mitigation bypasses.
In one instance, GTIG observed that the toolkit was used by a suspected Russian espionage group to target Ukrainian users, while later, it was being operated by a financially motivated threat actor operating from…
