How did the 'Coruna' iPhone exploit spread?

A sophisticated exploit kit reaches wider hands

Security researchers discovered a highly capable iPhone exploitation toolkit known as Coruna that has been used to hijack devices via malicious websites. The toolkit chains multiple, complex vulnerabilities to gain deep control of targeted iPhones — typically those running older, unpatched versions of iOS — and it has been observed moving from suspected government use into the hands of foreign intelligence services and criminal groups.

What researchers found

• Coruna operates as a packaged exploit kit that can be delivered by visiting compromised or malicious webpages;
• technical analysis shows it uses advanced, multi‑stage exploitation techniques that go well beyond ordinary consumer malware;
• indicators suggest the toolkit may have been developed originally for government use, though attribution is not definitive.

Practical consequences and guidance

1. Scale: The toolkit appears to have infected a substantial number of devices once it escaped tightly controlled environments, increasing its impact beyond the original target set.
2. Target profile: Phones running older OS versions are most at risk because the exploit relies on vulnerabilities fixed by later patches.
3. Mitigations: Updating devices as soon as vendor patches are available, avoiding unknown links and websites, and using browser protections and mobile security tooling are the most reliable defenses.

It’s still unclear which organizations first developed the kit and exactly how broadly it has been repurposed. The spread shows how powerful offensive toolsets, once leaked or resold, can quickly amplify global cyber risk. Vendors and users should prioritize patching and threat monitoring while investigators work to map the full scope of the compromise.