A significant warning has emerged for iPhone users regarding a sophisticated cyberscam, reportedly linked to the US government, which can hijack devices through various vulnerabilities. The software kit, referred to as Coruna, exploits an alarming 23 different weaknesses to infiltrate iPhones, as highlighted in a public service announcement by Google.
This advanced malware particularly targets Apple’s Safari browser, allowing attackers to initiate the exploit through five different methods, starting with a simple click on a dangerous link. Once activated, Coruna bypasses the security measures of the iPhone, enabling malicious actors to extract snippets of text and potentially access sensitive information, including financial details.
According to experts, the intricacies of this exploit kit are highly sophisticated. Google noted that “the framework surrounding the exploit kit is extremely well engineered,” as all components are seamlessly connected and utilize established utility and exploitation frameworks. Unlike standard malware that targets specific users or operates with one-time links, this toolkit can compromise any visitor to a website that is vulnerable on older iOS models.
The origins of this exploit have been traced back to international cybercriminals, including notable Russian espionage groups and Chinese scammers involved in cryptocurrency schemes. First identified by Google in early February 2025, there are theories suggesting that the spyware began as a tool developed by the US government but was subsequently leaked, allowing global cybercriminals to use it for nefarious purposes.
For instance, reports indicate that in July 2025, a Russian cyber espionage network utilized Coruna to take control of Ukrainian websites, while Chinese hackers allegedly employed it to conduct fraudulent cryptocurrency exchanges, affecting users indiscriminately.
Experts from mobile security firm iVerify assert that the kit does not target specific individuals; rather, any user visiting a compromised site with a vulnerable iOS version may become infected. They reported the unsettling possibility of repeated reinfection on their devices, demonstrating the widespread threat posed by this exploit.
Fortunately, the Coruna exploit is primarily effective against iPhones operating on older iOS versions, specifically those from 13 to 17.2.1, with the latter version released in 2023. In light of these developments, Google is urging users to update their devices to the latest iOS version to fortify themselves against potential exploitation.
For those who cannot update, Google recommends activating Lockdown Mode, a feature introduced by Apple in 2022, designed to bolster security against spyware threats.
