On March 3, 2026, Google Threat Intelligence Group (GTIG) disclosed Coruna, a highly sophisticated iOS exploit kit that targeted iPhones running iOS 13.0 through 17.2.1. According to Google, the kit included five full exploit chains and 23 exploits, making it one of the most comprehensive iPhone attack frameworks publicly documented in recent years. Google also said Coruna is not effective against the latest iOS versions, and urged users to update immediately or enable Lockdown Mode where patching is not possible.
What makes Coruna especially important is not just its technical sophistication, but its journey across the threat landscape. Google tracked it first in highly targeted activity linked to a customer of a surveillance vendor, then in watering-hole attacks aimed at Ukrainian users, and later in broader financially motivated campaigns tied to Chinese scam infrastructure. That progression suggests a troubling pattern: elite offensive capability can leak, be resold, or otherwise proliferate into the hands of espionage actors and eventually cybercriminals.
For cybersecurity professionals, Coruna is a case study in exploit commoditization. For consumers, it is a reminder that mobile devices are no longer “safer by default” simply because they are locked down ecosystems. If a victim visited a malicious or compromised site on a vulnerable iPhone, Coruna could deliver a full chain from browser exploitation to deeper device compromise. In other words, this was not just another scam page; it was a delivery platform for advanced iPhone intrusion.
A major technical strength of Coruna was its modular engineering. Google described a framework that fingerprinted devices, identified the exact iPhone model and iOS version, then selected the correct WebKit remote-code-execution exploit and a matching pointer authentication code bypass. The framework used hashed resource references, a hard-coded cookie, encrypted payload blobs, custom metadata, and even a bespoke file format. These are signs of a mature development effort rather than opportunistic malware assembly.
The exploit kit also showed strong operational awareness. Google found that Coruna would bail out if the device was in Lockdown Mode or the user was in private browsing. That matters because Lockdown Mode is Apple’s extreme hardening option for people who may face sophisticated, spyware-grade threats. Apple says the feature is specifically designed for users at risk of advanced attacks, and it restricts parts of the system that are often targeted in real-world exploit chains.
One of the most notable findings was the use of CVE-2024-23222, a WebKit flaw that Google said was delivered in the wild against iOS 17.2-era devices. Apple’s security documentation shows that iOS 17.3 addressed CVE-2024-23222 in January 2024. Google’s reporting indicates Coruna integrated that and multiple other browser, sandbox, privilege-escalation, and mitigation-bypass components into version-specific chains covering several generations of iPhones and iOS releases.
Another striking aspect is the payload objective. Many commercial spyware operations focus on communications, surveillance, and persistent access. In Coruna’s later criminal use, however, Google recovered payloads designed to steal financial and cryptocurrency-related data. The malware searched for BIP39 recovery phrases, keywords such as “backup phrase” and “bank account,” decoded QR codes from stored images, and targeted wallet apps including MetaMask, Phantom, Trust Wallet, Exodus, Uniswap, and others. This shift from surveillance-grade access to direct financial theft is what turns Coruna from a nation-state style concern into a mainstream cybercrime warning.
For defenders, Coruna reinforces several practical lessons. First, mobile threat hunting must mature. Traditional enterprise security still tends to prioritize endpoints such as laptops and servers, while mobile telemetry remains thin in many organizations. Yet Coruna shows that an iPhone can be the initial access point, the surveillance target, and the financial theft vector all at once. Second, defenders need to treat watering holes, scam infrastructure, and mobile browser exploitation as connected problems rather than separate categories. Google’s timeline shows the same core framework surfacing in different campaigns and with different operators.
For consumers and executives, the message is simpler: patching speed matters. Coruna affected a wide swath of iOS versions, but Google explicitly states the kit does not work on the latest iOS builds. Users who delay updates, keep older devices in service, or sideload trust into fake finance and crypto brands face much higher risk. Anyone who handles sensitive communications, cryptocurrency, activism, journalism, executive decision-making, or government-related work should also consider Lockdown Mode as a realistic defensive measure rather than an exotic feature.
The broader industry lesson is even more uncomfortable. Coruna appears to illustrate a secondary market for advanced exploitation, where zero-day-grade techniques and mature exploit frameworks may move beyond their original operators. Whether through resale, theft, leakage, or reuse by contractors and customers, the result is the same: capability spreads faster than defense. That is why Google framed this disclosure not only as a technical report, but also as part of a wider push to limit harms from the spyware ecosystem.
Coruna is therefore more than a story about iPhones. It is a warning about the lifecycle of offensive cyber capability. The old assumption was that the most advanced mobile exploits stayed inside rare, tightly controlled operations. Coruna suggests the opposite: once these tools escape that world, they can be adapted for espionage, fraud, and theft at much larger scale. For security teams, that means investing more seriously in mobile visibility and response. For users, it means doing the basics without delay: update iOS, avoid untrusted links and finance-themed scam sites, and enable stronger protections when your risk profile demands it.
FAQ
1. What is Coruna in simple terms?
Coruna is a sophisticated iPhone exploit kit disclosed by Google in March 2026. It combined 23 exploits into five attack chains that could target iPhones running iOS 13.0 through 17.2.1.
2. Who used Coruna?
Google says Coruna appeared first in targeted activity involving a surveillance vendor’s customer, later in attacks on Ukrainian users, and later still in financially motivated campaigns linked to Chinese scam infrastructure.
3. Are current iPhones still vulnerable?
Google says Coruna is not effective against the latest version of iOS. Apple had already patched at least some of the vulnerabilities used in the chains, including CVE-2024-23222 in iOS 17.3.
4. What should users and companies do now?
Update iPhones to the latest iOS version, treat mobile browsing as a serious attack surface, avoid suspicious finance or crypto sites, and enable Lockdown Mode for users at elevated risk of targeted attacks.