Sleek smartphone on a dark reflective surface representing mobile cybersecurity threats.
Cybersecurity

Coruna iOS Zero-Click Exploit: How It Leaked [Explained]

4 min readby

Have you ever wondered what happens when a top-secret digital weapon falls into the wrong hands? Imagine simply visiting a normal website on your iPhone, and without you tapping or downloading a single thing, your device is silently compromised. It sounds like a Hollywood spy thriller, but this is the terrifying reality of a newly uncovered threat. According to recent findings from Google’s Threat Intelligence Group and mobile security firm iVerify, a highly sophisticated iPhone hacking toolkit has escaped its original creators and is now wreaking havoc across the globe.

What Is the ‘Coruna’ iOS Exploit Kit?

Security researchers have dubbed this malware toolkit “Coruna.” It is essentially a digital master key for older Apple devices, packing 23 distinct vulnerabilities targeting iPhones running iOS 13 through 17.2.1. For years, we have been taught that as long as we don’t click suspicious links or download shady apps, our devices are relatively safe. Coruna throws that conventional wisdom out the window.

The scariest part of this toolkit is that it relies on a “zero-click” exploit. This means the malware can be silently installed on a victim’s iPhone simply by them visiting a compromised website. No user interaction, no pop-ups, and no warnings are required. Once the page loads, the phone is infected.

Illustration related to Coruna iOS Zero-Click Exploit: How It Leaked [Explained]

How Did U.S. Military Tech Reach Russian Spies?

So, who builds a tool this powerful? According to reports, the original developer of these government-grade hacking tools was likely U.S. military defense contractor L3Harris. The offensive cybersecurity market operates in the shadows, creating digital lockpicks meant for national security and intelligence gathering. But in a massive custody failure, the Coruna toolkit leaked.

The proliferation of this toolkit highlights a systemic risk in cyber warfare: advanced weapons developed for Western intelligence can, and do, leak to foreign adversaries. The toolkit shares core components with “Operation Triangulation,” a 2023 mobile malware campaign that Russian officials previously blamed on the NSA. Recently, a suspected Russian espionage group known as UNC6353 was caught utilizing the Coruna toolkit against Ukrainian targets. This represents a rare, highly documented case of a U.S. cyber weapon escaping controlled channels and being turned against strategic allies.

Why Are Cybercriminals Using Spying Tools for Crypto Scams?

The journey of this cyber weapon didn’t stop with international espionage. Eventually, the toolkit trickled down to a Chinese cybercriminal group. Why? Pure profit. These scammers repurposed the sophisticated military software to infect approximately 42,000 devices, primarily to execute lucrative cryptocurrency scams.

It is a fascinating and terrifying trickle-down effect. What starts as a million-dollar tool used for high-stakes geopolitical espionage eventually becomes a cheap utility for stealing digital wallets. As iVerify researchers noted, “This is the first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation-state.”

Diagram related to Coruna iOS Zero-Click Exploit: How It Leaked [Explained]

How Can You Protect Your iPhone from Zero-Click Attacks?

If you are feeling a bit paranoid right now, take a deep breath. Apple has already patched the 23 underlying vulnerabilities in newer iOS updates, rendering the Coruna exploit completely ineffective on the latest operating systems. The simplest defense is keeping your device up to date.

However, the broader threat landscape is rapidly shifting. The Google Threat Intelligence Group warned that “multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities.” To defend against similar invisible attacks, cybersecurity experts and Google urge high-risk users to update their devices immediately. Furthermore, if you are a journalist, activist, or political figure, enabling Apple’s “Lockdown Mode” is highly recommended to proactively block these zero-click threats.

Between the Lines

The leak of the Coruna toolkit is a watershed moment that permanently shatters the illusion of secure custody in the offensive cyber weapon market. Defense contractors like L3Harris will inevitably face intense scrutiny and likely stricter government oversight regarding how they store and control their zero-day arsenals. The ultimate winners here are mobile security startups, who now have a terrifyingly clear use-case to pitch proactive enterprise mobile defense solutions to corporate boards. When nation-state malware trickles down to common crypto scammers, we are no longer defending against isolated spies—we are facing a commoditized arms race where every unpatched smartphone is potential collateral damage.

Get our analysis in your inbox

No spam. Unsubscribe anytime.

Share this article

Related Articles

A concerned banking customer looking at a phone screen in a dark room.
CybersecurityEU Banks Face ‘Refund First’ Mandate for Phishing Victims Under New CJEU Opinion
Close-up of a secure metallic vault lock mechanism with cinematic lighting.
CybersecurityClaude Opus 4.6 Finds 22 Firefox Vulnerabilities [Report]
Close up of a DJI Romo robot vacuum camera lens with cinematic lighting.
CybersecurityDJI Romo Robot Vacuum Hack: The $30k PS5 Exploit [Explained]

Leave a Comment