Coruna iOS exploit kit may stem from US government hacking tools

Google Threat Intelligence Group published a report this week on an exploit kit that targets older Apple iPhones. Called Coruna, the framework can affect devices running iOS 13.0 through 17.2.1 and can quietly harvest sensitive data — including photos and emails — and steal cryptocurrency.

GTIG tracked Coruna's use throughout 2025, tracing its start to "highly targeted operations initially conducted by a customer of a surveillance vendor." Researchers say the framework is unlikely to have been built by cybercriminals alone, and iVerify has some evidence it is a leaked US government framework, a possibility the team warns should not distract from the risk that such tools will be used by bad actors.

The team extracted the full exploit kit from an attack by UNC6691, a financially motivated threat actor operating from China, and also observed earlier deployments against Ukrainian users by suspected Russian actor UNC6353.

China, Ukraine

coruna, exploit kit, ios exploit, apple iphone, gtig, iverify, us government, surveillance vendor, unc6691, unc6353