Google Threat Intelligence Group and iVerify published coordinated research today exposing Coruna, a sophisticated iOS exploit kit containing five complete exploit chains and 23 separate vulnerabilities. The kit targets iPhones running iOS 13.0 through iOS 17.2.1. It has already compromised an estimated 42,000 devices.
That's alarming on its own. What makes Coruna a different kind of story is where it came from and where it ended up.
From Surveillance to Espionage to Crypto Scams
Over the course of 2025, Google tracked Coruna through three distinct hands. In February, it appeared in a targeted operation conducted by a customer of a commercial surveillance vendor: a government using purchased exploit tools against a specific target. By summer, the same exploit kit surfaced on compromised Ukrainian websites, deployed by UNC6353, a suspected Russian intelligence group, in watering hole attacks against Ukrainian users. By December, Coruna had proliferated again, this time to UNC6691, a financially motivated Chinese threat actor running fake cryptocurrency and gambling sites designed to infect any visiting iPhone indiscriminately.
Government surveillance tool. Espionage weapon. Mass criminal exploit. In under a year.
The U.S. Connection
iVerify's reverse engineering of Coruna found native-level English documentation, internal jokes, and code quality that co-founder Rocky Cole described as "superb" and "elegantly written", bearing "the characteristics of other modules that have been publicly connected to the U.S. government." Google's analysis confirmed that two of Coruna's exploits, codenamed Photon and Gallium, exploit the same vulnerabilities used in Operation Triangulation, a hacking campaign that Kaspersky attributed to the U.S. government in 2023.
Cole estimated the framework "required millions of dollars for its development." This wasn't cobbled together by a freelance exploit developer. Someone invested nation-state resources into building it.
And then lost control of it.
We've Seen This Movie Before
Rocky Cole drew the comparison himself: this is an "EternalBlue moment" for mobile.
In 2017, the NSA's EternalBlue exploit leaked through the Shadow Brokers and became the engine behind WannaCry and NotPetya, two of the most destructive cyberattacks in history. A tool built for targeted intelligence operations went criminal and caused an estimated $10 billion in global damage. The pattern is now well established. The question is why we keep repeating it.
The EOD Lesson Cyber Refuses to Learn
I spent eight years in Navy Explosive Ordnance Disposal. The first principle of weapons handling is simple: every weapon you deploy can become an enemy weapon. Unexploded ordnance kills civilians decades after conflicts end. The military built an entire discipline around this reality. You don't leave weapons on the battlefield.
In cyberspace, we do exactly that.
Government agencies build the most sophisticated offensive tools ever created, deploy them against targets, and then watch them proliferate through what Google now describes as an "active market for 'second hand' zero-day exploits." This isn't an isolated leak like the Shadow Brokers. Google's language suggests a commercial ecosystem where exploits change hands through transactions, not just theft.
The physical weapons equivalent would be selling surplus cruise missiles on the open market and hoping buyers use them responsibly. No defense ministry would tolerate that. In cyberspace, we tolerate it as the cost of doing business.
What Coruna Actually Does
The end-stage payload, called PlasmaLoader, injects itself into a root-level iOS daemon and begins scanning for financial data. It searches device photos for QR codes, scans Apple Memos for seed phrases and banking keywords, and deploys dedicated hooking modules for 16 cryptocurrency wallets including MetaMask, Phantom, Trust Wallet, and Uniswap.
The same industrial-scale credential harvesting infrastructure I wrote about in the infostealer epidemic is now running on government-grade exploit tooling. The difference is that infostealers require tricking users into installing malware. Coruna doesn't. Visiting a website is enough.
Where VoidLink's AI-generated framework demonstrated that building sophisticated malware is no longer the bottleneck, Coruna shows that the most dangerous tools are still the ones built with nation-state resources, then lost.
iVerify described it as the "first known mass iOS attack" of its kind. The criminal variant ran on fake financial websites targeting Chinese-speaking users, but the exploit kit itself was indiscriminate. No social engineering required. No app to install. Just a browser visit.
What This Means for Enterprises
If your organization has employees running iOS 17.2.1 or older, you are in the blast radius. Not because you're a government target. Because the tools built for government targeting are now in criminal hands, deployed at scale.
Three actions matter right now:
Enforce iOS updates aggressively. Coruna doesn't work against iOS 17.3 or later. The current release is iOS 26. But Google notes that 5% of iPhone users in China alone still run vulnerable versions, and enterprise BYOD environments are no better at enforcing update compliance.
Enable Lockdown Mode for high-risk users. Google confirmed that Coruna explicitly checks for Lockdown Mode and aborts if it's enabled. This is the first widely documented case of a real-world exploit kit being stopped by Apple's Lockdown Mode in mass deployment.
Treat mobile as a first-class attack surface. Most enterprise security architectures still treat phones as endpoints that access corporate resources, not as targets in their own right. Coruna changes the calculus. A compromised iPhone isn't just a risk to corporate email; it's a root-level implant with module-loading capabilities.
The Proliferation Problem Nobody Solves
Google has been participating in the Pall Mall Process, an international framework aimed at limiting the harms of commercial spyware. But Coruna reveals a problem that goes beyond commercial surveillance vendors. The toolkit appears to have originated from a government program, not a private company. The proliferation path wasn't Hacking Team getting breached or NSO Group selling to bad actors. It was something murkier: sophisticated capabilities entering a secondhand market that nobody monitors.
Until offensive cyber programs adopt the same weapons accountability standards that every other military domain requires, we will keep seeing this pattern. A capability built for precision targeting will end up as a blunt instrument for mass exploitation. The progression from surveillance vendor to espionage group to crypto scammer isn't a failure of one organization. It's a structural failure of how we think about cyber weapons.
Coruna is EternalBlue for mobile. And like EternalBlue, the real damage starts after the tools leave their creators' hands.
