Security researchers have identified a powerful iPhone hacking toolkit capable of infecting devices simply when users visit malicious websites.
The discovery was reported by Google’s Threat Intelligence Group, which warned the exploit kit could silently deliver malware without requiring victims to click anything.
The toolkit, known as Coruna, contains multiple exploit chains designed to target Apple devices running iOS versions from iOS 13 through 17.2.1.
Investigators said the framework includes five full exploit chains and at least 23 vulnerabilities affecting Apple’s mobile operating system.
Some of the vulnerabilities reportedly rely on previously unseen methods that bypass Apple’s built-in security protections on affected devices.
Researchers first observed parts of the toolkit in early 2025 when it appeared in an exploit chain linked to a customer of a commercial surveillance vendor.
The malicious framework uses JavaScript code that identifies a visitor’s iPhone model and operating system before delivering a tailored attack.
Later in 2025, the same technology surfaced on compromised Ukrainian websites targeting specific iPhone users through hidden webpage elements.
Google attributed that campaign to a suspected Russian espionage group known as UNC6353, which allegedly used the exploit system to spy on selected targets.
Researchers then discovered the toolkit spreading through hundreds of Chinese-language websites associated with cryptocurrency and financial investment scams.
These scam sites attempted to attract users browsing with iPhones before secretly deploying the exploit framework onto vulnerable devices.
Security analysts estimate that roughly 42,000 devices were compromised during one campaign after monitoring command-and-control servers connected to the scam infrastructure.
The Coruna toolkit specifically attacks weaknesses in Apple’s WebKit browser engine and dynamically selects the correct exploit chain for each targeted device.
Attack payloads are encrypted and compressed before being delivered through a customised file format designed to avoid detection by security systems.
Mobile security company iVerify suggested the toolkit’s engineering sophistication may indicate origins linked to advanced government cyber programmes.
“It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the U.S. government,”