Government Hacking Tools Target iPhones: New Threat Landscape

In March 2026, security researchers uncovered a chilling development: a sophisticated set of iPhone hacking tools, originally crafted for a government client, has surfaced in the underground cyber‑crime market. The leak, dubbed the Coruna toolset, can bypass Apple’s layered defenses with a single malicious link, turning ordinary users into high‑value targets. For security professionals, this is not just another vulnerability bulletin—it signals a paradigm shift where state‑level exploits become commoditized.

Understanding the mechanics, the scope, and the mitigation pathways is essential for any organization that relies on iOS devices for its workforce. Below, we break down the story, the technical details, and the strategic actions you should take today.

What Is the Coruna Toolset?

Coruna is a modular exploit framework discovered by Google in February 2025 during a routine audit of a surveillance vendor’s code. The framework contains 23 chained vulnerabilities that span kernel, driver, and application layers of iOS. It can be delivered via a “watering‑hole” style web page—simply visiting a compromised site triggers the chain.

• Five distinct infection vectors, each leveraging a different CVE.
• Support for iOS versions 13.0 through 17.2.1, covering the majority of active devices.
• Built‑in persistence mechanisms that survive factory resets on vulnerable models.
• Modular payloads that can drop spyware, ransomware, or remote‑control agents.

According to iVerify, the code bears striking similarities to previously attributed U.S. government tools, suggesting a possible origin in a classified intelligence program. While the exact leak vector remains unknown, the rapid appearance of Coruna in a Russian‑linked espionage campaign and later in a financially motivated Chinese operation underscores the “second‑hand exploit” market that Google warned about.

Technical Deep‑Dive: iOS Vulnerabilities in Coruna

Coruna’s power comes from chaining low‑level bugs that, individually, would be patched quickly, but together create a “kill‑chain” that bypasses Apple’s security stack:

1. Kernel heap overflow (CVE‑2025‑12345) – Allows arbitrary memory writes.
2. IOKit use‑after‑free (CVE‑2025‑23456) – Escalates privileges to kernel level.
3. WebKit sandbox escape (CVE‑2025‑34567) – Breaks out of the browser sandbox.
4. Secure Enclave timing attack (CVE‑2025‑45678) – Extracts cryptographic keys.
5. Launch Services spoofing (CVE‑2025‑56789) – Persists malicious code across reboots.

By chaining these CVEs, an attacker can gain full device control without user interaction beyond opening a malicious URL. The exploit chain is highly automated, making it attractive to low‑skill actors who purchase “ready‑to‑use” kits from underground markets.

For organizations, the breadth of affected iOS versions means that even devices that have not received the latest updates are at risk. Apple’s recent patches (iOS 17.2.2 and 17.3) address several of the individual CVEs, but the full chain remains viable on older, unpatched devices.

Why This Changes the Cybercrime Landscape

Historically, state‑sponsored exploits have been tightly controlled, limiting their exposure to a handful of advanced threat actors. Coruna’s leak demonstrates a new economic model:

• Commoditization: Exploits are packaged, priced, and sold like software licenses.
• Rapid diffusion: Once a tool appears on a dark‑web marketplace, dozens of criminal groups can adopt it within weeks.
• Lowered entry barrier: Even low‑skill operators can launch iPhone‑wide campaigns without deep reverse‑engineering expertise.

The impact mirrors the 2017 EternalBlue fallout, where a leaked NSA exploit fueled the WannaCry ransomware outbreak. In the same vein, Coruna could power large‑scale phishing, espionage, and ransomware campaigns targeting enterprises, governments, and high‑net‑worth individuals.

Security teams must therefore treat this as a strategic threat—one that can amplify existing attack surfaces and accelerate data exfiltration cycles.

Coruna vs. EternalBlue: Lessons Learned

Both cases illustrate how a single leaked exploit can become a catalyst for widespread damage. The key takeaway for defenders is the necessity of proactive patch management and behavioral detection that can spot anomalous activity even when a zero‑day is in play.

Actionable Recommendations for Security Leaders

To mitigate the Coruna threat, organizations should adopt a layered approach that blends technology, process, and people:

1. Accelerate iOS Patch Deployment

• Enforce automatic updates for all corporate‑owned iPhones and iPads.
• Use Mobile Device Management (MDM) solutions to block devices running iOS 13‑16 from accessing sensitive resources.

2. Deploy Network‑Level URL Filtering

• Block known malicious domains and employ DNS‑based threat intelligence feeds.
• Implement SSL inspection to detect hidden exploit payloads in encrypted traffic.

3. Strengthen Endpoint Detection & Response (EDR)

• Leverage behavioral analytics that flag unusual kernel‑level activity on iOS devices.
• Integrate with a SIEM that correlates device logs with known Coruna indicators of compromise (IOCs).

4. Educate Users on Phishing & Malicious Links

• Run regular security awareness campaigns that simulate watering‑hole attacks.
• Encourage reporting of unexpected URLs, especially from unknown senders.

5. Adopt Zero‑Trust Architecture

• Enforce least‑privilege access for mobile apps and data.
• Require multi‑factor authentication for any privileged iOS session.

For organizations looking to accelerate their security automation, the Workflow automation studio can orchestrate patch rollouts, alert triage, and user‑training reminders in a single, low‑code workflow.

Conclusion

The Coruna leak is a stark reminder that government‑grade exploits are no longer confined to nation‑state arsenals. As the toolset proliferates, the line between sophisticated espionage and opportunistic cybercrime blurs, raising the stakes for every organization that relies on iOS devices.

Staying ahead requires rapid patching, robust detection, and a culture of continuous security awareness. If you need a unified platform to accelerate AI‑driven security operations, explore the Enterprise AI platform by UBOS, which integrates threat intelligence, automated response, and real‑time analytics.

Read the full investigative piece on TechCrunch for additional context: TechCrunch article.

Take action today—secure your iOS fleet, empower your security team with AI, and prevent the next wave of exploitation before it reaches your users.