Outdated iPhones at Risk as Coruna Exploit Kit Spreads Online

A newly uncovered hacking toolkit called Coruna highlights a simple but important cybersecurity lesson: delaying software updates can leave smartphones exposed.

Researchers from Google’s Threat Intelligence Group discovered the toolkit targeting iPhones running iOS 13 through iOS 17.2.1, meaning devices that haven’t been updated since late 2023 could still be vulnerable.

Coruna isn’t a single vulnerability but a full exploit kit containing 23 different exploits combined into five attack chains. These chains allow attackers to target a range of iPhone models and software versions.

Some of the techniques rely on sophisticated exploitation methods, suggesting the toolkit was originally developed with significant resources.

Researchers believe the toolkit may have first been created for a surveillance customer. Over time, however, the technology appears to have spread between different threat actors, showing how advanced hacking tools can eventually end up in broader criminal campaigns.

From surveillance tool to cybercrime weapon

Google researchers tracked Coruna across several phases throughout 2025. The earliest activity was linked to a customer of a commercial surveillance vendor that deployed the exploit framework in targeted attacks.

Later in the year, the same toolkit appeared in operations linked to a suspected Russian espionage group. In this campaign, malicious code was injected into compromised Ukrainian websites. The attacks were carefully targeted, only delivering the exploit to iPhone users located in certain regions.

By the end of 2025, the exploit kit was being used in wider cybercriminal activity. Investigators discovered it hosted on large networks of fake financial and cryptocurrency websites, many designed to trick users into visiting from an iPhone. Unlike earlier campaigns, these sites attempted to infect any vulnerable device that loaded the page.

Fig 1. The history of Coruna usage. (Source: Google Threat Intelligence)

How the infection works

The attack can begin simply by visiting a malicious webpage using Safari on a vulnerable iPhone. The exploit framework first collects information about the device, including the model and iOS version, to determine which vulnerability to deploy.

Once the correct exploit is triggered, the attack chain attempts to gain deeper system access and bypass Apple’s built-in protections. If successful, the exploit installs a background payload called PlasmaLoader, which runs with high privileges on the device.

PlasmaLoader can download additional modules and scan text stored on the device for valuable information.

Researchers say the malware searches for financial details and cryptocurrency recovery phrases, including data stored in Apple Notes. It can also target several cryptocurrency wallet apps in an effort to steal sensitive information.

Fig 2. A fake popup to direct users to the exploit. (Source: Google Threat Intelligence)

What iPhone users should do now

Despite the sophistication of the exploit kit, there is some reassuring news for users. The vulnerabilities used by Coruna have already been patched in newer versions of iOS, meaning devices running the latest software are not affected.

We strongly recommend updating iPhones to the newest available iOS version as soon as possible. For users who cannot install newer software—often because their device is too old—Apple’s Lockdown Mode can provide additional protection against spyware-style attacks.

The discovery of Coruna is a reminder that powerful hacking tools do not always remain in the hands of a single group. Once these capabilities spread, they can quickly be reused by other attackers. Keeping devices updated and avoiding suspicious financial or cryptocurrency websites remain two of the simplest ways to stay protected.