Overview
- Google’s Threat Intelligence Group obtained a complete, partially debug-enabled copy of Coruna, documenting five exploit chains and 23 exploits that silently compromise iPhones via web content on iOS 13 through 17.2.1.
- Use of the toolkit progressed from a surveillance‑vendor customer in February 2025 to a suspected Russian espionage campaign against Ukrainian sites in July 2025 and then to criminal distribution on Chinese‑language gambling and crypto sites by December 2025.
- iVerify estimates roughly 42,000 devices were compromised in one criminal campaign, with payload modules that decode QR images and search for wallet recovery phrases to steal data from popular cryptocurrency apps.
- Attribution remains unresolved, though iVerify reports code similarities to previously observed U.S. contractor tooling, and Google warns the proliferation reflects an active market for second‑hand zero‑day exploits.
- Researchers advise updating to the latest iOS; for devices that cannot update, Lockdown Mode or private browsing prevents Coruna’s execution, and Google has added the malicious domains to Safe Browsing.