The iPhone is considered one of the most secure smartphones on the market. Apple places great emphasis on data protection, encryption, and regular security updates. Nevertheless, new attack techniques constantly emerge that attempt to exploit vulnerabilities in the system.
A toolkit called Coruna is currently attracting attention in the IT security industry. This toolkit exploits a number of vulnerabilities in older iOS versions and can, under certain circumstances, spread via compromised websites. The fact that the tool is now circulating in criminal circles is particularly problematic.
The analyses also show indications that the toolkit may have originally come from a government environment and was later resold on the black market.
The information on this topic comes from a report by the US magazine Wired. The article is based on technical analyses by the Google Threat Intelligence Group and the security firm iVerify.
Google investigated the technical functionality of the exploit toolkit and its distribution. iVerify additionally analyzed the tool's code and found clues to possible origins and development patterns.
According to the researchers involved, Coruna is a particularly complex attack tool capable of exploiting multiple vulnerabilities simultaneously. It now appears to be widespread in the cybercrime scene and has already been used in various attacks.
The Coruna Toolkit: Structure and Functionality
The Coruna toolkit is an exploit system with five different attack techniques that exploits a total of 23 security vulnerabilities in iOS.
These vulnerabilities primarily affect older versions of the operating system. An attack can potentially be triggered simply by a user with a vulnerable iPhone visiting a compromised website.
The toolkit focuses primarily on vulnerabilities in WebKit. WebKit is Apple's browser engine and a core component of Safari, as well as many other functions in the iPhone system.
By exploiting these vulnerabilities, attackers can gain access to the device and subsequently install further malware or read data.
Affected iOS versions and iPhone devices
According to available analyses, the Coruna toolkit affects iPhones with iOS versions between iOS 13 and iOS 17.2.1. These versions cover a period of:
- September 2019 (iOS 13)
- until December 2023 (iOS 17.2.1)
Devices with these versions may be vulnerable to attack by the toolkit under certain circumstances.
However, Apple has taken security measures. In addition to previous security updates that already closed individual vulnerabilities, the toolkit was specifically neutralized with iOS 26.
According to current figures, 74 percent of iPhones that support iOS 26 had already installed the update by February 12th.
Protective measures for iPhone users
The most important measure for protection against Coruna is an up-to-date operating system. iPhone users should ensure their device is updated to the latest available iOS version.
According to Apple, the update to iOS 26 prevents known exploits from the toolkit from working. Furthermore, iOS includes a special security mode called Lockdown Mode.
This mode is particularly restrictive and limits various functions to prevent targeted cyberattacks. The Coruna Toolkit actively checks whether this mode is enabled. If lockdown mode is activated, the toolkit will not execute an attack.
However, Lockdown Mode is not intended for regular users. It was specifically designed for individuals who are at increased risk of targeted cyberattacks, such as:
- Government members
- Journalists
- Activists
- other publicly exposed persons
For most iPhone users, a current system update is sufficient to be protected.
Indications of a possible origin from the US government
iVerify's findings regarding the possible origin of the tool are particularly interesting.
Security researchers suspect that Coruna was originally developed on behalf of the US government. This assessment is based on several technical clues:
- Similar frameworks to those used in other well-known government exploit tools
- A very high level of technological development
- English comments in the program code
Rocky Cole, co-founder of iVerify, explained that the toolkit had been developed with great care.
In his estimation, the development cost several million dollars and exhibits typical characteristics of modules that have already been publicly attributed to the US government.
Cole also described Coruna as one of the first known examples of such a state tool apparently getting out of control.
Distribution via the black market
The analyses suggest that the toolkit eventually escaped its original environment. According to these findings, the US government may have lost control of the tool through a series of events. Subsequently, the toolkit is believed to have been sold on the black market for several million dollars.
The buyer of the tool apparently tried to recoup the purchase price. To this end, a modified version of the toolkit was resold. Through these resales, Coruna spread increasingly among cybercriminals.
Today, various versions of the toolkit exist, each adapted for different purposes. In some cases, less sophisticated malware was added to the original code.
Previously known attacks with Coruna
The security firm iVerify estimates that approximately 42,000 devices have already been compromised with a specific version of the toolkit. This variant was used in a Chinese-language cyberattack.
Furthermore, according to the analysis, the tool was used in a Russian espionage operation. This operation was allegedly directed against an unknown number of people in Ukraine.
These cases show that the toolkit no longer exists only theoretically, but has already been actively used in real attacks.
Alternative theory on origin
In his analysis, Rocky Cole also mentioned an alternative theory regarding the origin of Coruna. According to this theory, the toolkit could have been assembled from various components of the so-called Operation Triangulation. Russia had previously attributed this operation to US hackers.
However, after closer analysis, iVerify considers this theory unlikely.
The developers of Coruna have created a very unified and technically sophisticated system. This suggests that it is a large-scale project with a substantial budget, and not a collection of individual, assembled modules.
iPhone security: Why regular updates are crucial
The Coruna case demonstrates the risks that can arise when sophisticated hacking tools exist. Even if such tools were originally developed for government investigations or intelligence operations, there is always the possibility that they could fall into the wrong hands.
Apple has repeatedly resisted government demands to build backdoors into iPhone encryption. Such backdoors could pose a long-term security risk, as they could be misused or stolen.
The current situation underscores once again how important regular updates are for the iPhone. As long as devices are kept up to date, many known exploits remain ineffective and the system's security level remains high. (Image: Shutterstock / Pungu x)
- M4 iPad Air: First Geekbench results have surfaced
- Studio Display XDR supports DICOM medical images
- Apple is promoting Mac gaming at GDC 2026
- Studio Display XDR: 120 Hz only with certain Macs
- Studio Display & Studio Display XDR without Intel support
- OpenAI: GPT-5.3 enables better dialogue
- Meta Ray-Ban: Data privacy nightmare revealed
- The Pro Display XDR is being discontinued
- MacBook Air M5: What the new generation brings
- MacBook Pro with M5 Pro & M5 Max officially unveiled
- Apple M5 Pro and M5 Max: More power for professionals
- Apple presents Studio Display & Studio Display XDR
- Apple TV: No third season for Palm Royale
- Anthropic simplifies AI migration with import tool
- Where is the file located? Offline Files knows the answer instantly
- iOS 26.4 Beta 3 is here: Next step towards release
- Paramount plans mega streaming service with HBO
- Apple unveils new accessories for spring 2026
- Will an iPhone 16e case also fit the iPhone 17e?
- iPad Air with M4 is here: Here's what the update offers
- The iPhone 17e is here: Here's what's inside the new model
- Apple TV impresses at international award ceremonies
