Google's Threat Intelligence Group on Tuesday identified a 23-vulnerability iOS exploit kit called Coruna that appears to have traveled from a US government contractor through Russian espionage operations into the hands of Chinese cybercriminals. Mobile security firm iVerify, which analyzed the toolkit independently, estimates roughly 42,000 iPhones have already been compromised in the criminal campaign alone. Apple fixed the bugs in iOS 26. Older versions? Still wide open. That means iOS 13 through 17.2.1, anything Apple shipped between September 2019 and December 2023.

The Breakdown

Five exploit chains, one author

Coruna carries five full attack chains. Browse to a rigged website on Safari and you're done, malware is on your phone before you realize anything happened. The chain starts with WebKit flaws, gets code executing, then piles on more exploits until it cracks the iOS sandbox wide open.

Google's researchers picked up the first components in February 2025, deployed by what they described only as a "customer of a surveillance company." A more complete version turned up five months later in watering hole attacks against Ukrainian websites, buried inside a common visitor-counting script. Google pinned that campaign with moderate confidence on UNC6353, a suspected Russian espionage group. Then in December 2025, the full kit showed up on Chinese-language cryptocurrency and gambling scam sites, run by a financially motivated group Google tracks as UNC6691.

iVerify's cofounder Rocky Cole, a former NSA employee, told WIRED the code bears the hallmarks of US government development. Native English comments throughout, professional documentation, and a modular architecture that holds together as a single authored system. "It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," Cole said.

Google and iVerify both flagged heavy code overlap with Operation Triangulation, the 2023 campaign that hit Kaspersky. Moscow blamed the NSA for that one. Washington didn't bother responding.

The broker pipeline

How a suspected American intelligence tool wound up on Chinese gambling sites is the question neither Google nor iVerify can fully answer. But the exploit broker market offers a structural explanation.

Peter Williams, a former executive at US government contractor Trenchant, was sentenced this month to seven years in prison for selling at least eight of his employer's exploits to Operation Zero, a Russian zero-day broker, between 2022 and 2025. Trenchant sold hacking tools to US intelligence and Five Eyes governments. The Treasury Department sanctioned Operation Zero's owner last month.

Cole pointed to the broader economics. "These zero-day and exploit brokers tend to be unscrupulous," he told WIRED. "They sell to the highest bidder and they double dip. Many don't have exclusivity arrangements."

Google played it safe, calling the proliferation evidence of "an active market for 'second hand' zero-day exploits" and stopping short of naming any government as Coruna's creator. That gap between the two reports tells you something about threat intelligence itself. How far you go with attribution depends on how much blowback your organization can stomach. Either way, the pattern rhymes with Chinese cyber campaigns that exploited zero-day flaws in Western software to breach hundreds of organizations. The tools change hands. The damage compounds.


What the criminal version does

The cybercriminal variant bolted crude malware onto Coruna's polished framework, like a chop shop welding stolen parts onto a luxury chassis. iVerify's chief product officer Spencer Parker called the additions "poorly written" compared to the underlying toolkit. "My God, these things are very professionally written," Parker said of the original exploits.

UNC6691's stager binary scans compromised devices for cryptocurrency wallet apps including MetaMask, BitKeep, and Trust Wallet. It decodes QR code images stored on the device, hunting for seed phrases and recovery keys. It exfiltrates wallet data, photos, and in some cases emails.

iVerify consulted a partner with access to network traffic and counted connections to the criminal campaign's command-and-control server. That analysis produced the 42,000 figure. Infections from the Russian espionage campaign targeting Ukrainian websites remain unquantified. Google declined to comment beyond its published report. Apple did not respond to requests for comment.

Lockdown mode works, but the genie is loose

Coruna checks for Apple's Lockdown Mode before it tries anything. Lockdown Mode on? It walks away. Still on an older iOS without it? You're a target. Chrome seems safe since the kit only goes after WebKit. Apple hasn't responded to either Google's or iVerify's findings. Total silence.

The NSA had its own Windows exploit, EternalBlue, walk out the door in 2017. WannaCry followed. Then NotPetya. Cole sees the same movie starting. "This is the EternalBlue moment for mobile malware," he told WIRED.

Not a perfect comparison. EternalBlue hit current Windows systems at scale. Coruna targets iOS versions up to three years old, limiting its reach. But the same thing keeps happening. Government-funded offensive tools leak out and get turned against the people they were built to protect.

Five full exploit chains written in English are now floating between at least three threat actor groups that we know of. Vulnerabilities patched. Techniques still out there. Anyone who sits down with this code walks away knowing how to crack iPhones, a graduate-level education in iOS exploitation paid for by some government's black budget. "The genie is out of the bottle," Cole said.

Frequently Asked Questions

What iOS versions are affected by Coruna?

iOS 13.0 through 17.2.1, covering every version Apple released between September 2019 and December 2023. Apple patched the vulnerabilities in iOS 26. If you're running an older version, enabling Lockdown Mode blocks the exploit kit. Chrome users are unaffected since Coruna only targets Safari through WebKit flaws.

How does the Coruna exploit kit infect iPhones?

Coruna uses watering hole attacks, embedding exploit code in compromised websites. When a user visits the site on Safari, the toolkit fingerprints the device, selects the appropriate exploit chain, achieves remote code execution through WebKit flaws, and escapes the iOS sandbox. No user interaction is required beyond visiting the page.

What is Operation Triangulation and how does it connect to Coruna?

Operation Triangulation was a 2023 iOS malware campaign discovered targeting Kaspersky. Russia publicly blamed the NSA. Google and iVerify found substantial code overlap between Triangulation and Coruna, suggesting shared authorship or a common codebase. Several Coruna exploits build directly on Triangulation's kernel exploitation framework.

Who is Peter Williams and what role does the exploit broker market play?

Williams was a former executive at Trenchant, a US government contractor. He was sentenced to seven years for selling at least eight exploits to Operation Zero, a Russian broker, between 2022 and 2025. The case illustrates how government-funded offensive tools migrate through brokers to adversaries and criminals.

How can iPhone users protect themselves from Coruna?

Update to iOS 26 immediately. If your device can't run it, enable Lockdown Mode in Settings. Coruna checks for Lockdown Mode and abandons the attack if it's active. Using Chrome instead of Safari also helps since Coruna specifically targets WebKit, Safari's browser engine.

OpenAI Signed the Pentagon Deal. Anthropic Wrote It.
Friday night, Sam Altman posted a statement so carefully calibrated it read like a legal brief disguised as a social media post. OpenAI had reached an agreement with the Department of War. Its models
The Implicator
France Raids X Offices as Europe Opens Four Probes Against Musk Platforms
French prosecutors raided X's Paris headquarters on Tuesday and summoned Elon Musk for questioning, the Paris prosecutor's office confirmed, widening a cybercrime investigation that now includes charg
The Implicator
Criminals flip Hexstrike-AI, shrinking zero-day exploits to minutes
💡 TL;DR - The 30 Seconds Version 🚨 Hexstrike-AI, a defensive cybersecurity framework, was weaponized by criminals within hours of its public release this week. ⚡ Attackers used the tool to ex
The Implicator
AI News

New Delhi

Freelance correspondent reporting on the India-U.S.-Europe AI corridor and how AI models, capital, and policy decisions move across borders. Covers enterprise adoption, supply chains, and AI infrastructure deployment. Based in New Delhi.