.
📱From Spyware to Street Criminals; How Government iPhone Hacking Tools Are Now Being Misused
In a startling development in cybersecurity, researchers have uncovered that a powerful suite of iPhone hacking tools — originally used in government or state‑linked operations — has leaked into the hands of cybercriminal groups and is now being used to target everyday users.
The exploit framework, known as Coruna, was first identified by the Googl
e Threat Intelligence Group (GTIG) in early 2025. Initially detected during a surveillance vendor’s attempt to install spyware on a target device on behalf of a government customer, components of the toolkit have since been found in widespread operations ranging from espionage campaigns against Ukrainian users to financially motivated hacking efforts based in China.
What makes this discovery especially concerning is that Coruna isn’t a simple piece of malware — it’s a comprehensive exploit kit capable of bypassing an iPhone’s security protections through multiple methods. Security analysts say the toolkit contains five complete exploit chains and leverages a total of 23 separate vulnerabilities in Apple’s iOS operating system.
🕵️♂️ How the Exploit Works
Coruna uses a technique known as a “watering hole” attack: a victim simply needs to visit a malicious website containing the hidden exploit code for the hack to begin — no clicking or interaction required. Once triggered, the toolkit systematically evades the iPhone’s built‑in defenses, escalating privileges and installing malware that can spy on user data, harvest credentials, or carry out further malicious actions on the device.
The exploit specifically targets older versions of iOS, from iOS 13 up through iOS 17.2.1 — meaning devices that have not been updated to the latest operating systems are particularly vulnerable.
Security firms like iVerify, which conducted deep reverse engineering of the toolkit, believe the core of Coruna is sophisticated enough to originate from government‑grade research or development environments. In fact, researchers point out similarities between Coruna and past exploit frameworks linked to intelligence operations, including elements seen in campaigns like Operation Triangulation.
🌍 From State Operations to Criminal Markets
What started as a custom surveillance tool is now being repurposed by multiple non‑state actors:
Espionage campaigns: Security teams observed the toolkit being used by a suspected Russian hacker group targeting iPhone users in Ukraine, compromising devices through malicious web links embedded across targeted sites.
Financial hackers: Later, parts of Coruna were discovered embedded in campaigns aimed at stealing crypto and financial data from visitors to specific Chinese‑language websites, indicating that financially motivated cybercriminals are applying the same exploit frameworks for profit. (
The precise pathway by which the tools leaked out of controlled environments remains unclear, but experts warn that such “second‑hand” exploit markets are becoming more active — where powerful hacking frameworks, once tightly held by states, are resold, repackaged, or redistributed to anyone with money or motive.
This trend echoes historic leaks like the EternalBlue exploit developed by the U.S. National Security Agency (NSA), which was later published and widely abused in global ransomware attacks — a stark lesson in how digital tools designed for intelligence can inflict enormous damage once they escape controlled use
📉 What Users Need to Know
The good news for many users is that Apple has already patched most of the vulnerabilities exploited by Coruna in later versions of iOS. Updated devices running modern software — including iOS 18 and beyond — are resistant to this specific threat.
However, older iPhones that cannot upgrade or users who delay installing updates remain at risk. Security experts strongly advise:
Updating to the latest iOS release immediately if your device supports it.
Enabling Lockdown Mode on iPhones — a hardened security setting that reduces the attack surface for sophisticated exploits and spyware.
Failing to do so leaves devices exposed not just to targeted surveillance, but to mass exploitation campaigns that can steal data, credentials, and even financial assets in an instant.
🛡️ The Broader Implications
This episode raises difficult questions about digital security policy and the stockpiling of zero‑day vulnerabilities by states and surveillance vendors. Tools like Coruna are developed to bypass sophisticated protections, often for narrow, government‑approved objectives. But once they leak, they become weapons of opportunity for anyone with access — from foreign intelligence agencies to underground cybercrime rings.
As Google warns, the more powerful the exploit, the more likely it is to escape containment, circulate in underground markets, and be repurposed in ways never intended. This underscores the need for better safeguards, transparency, and responsible practices around the creation and handling of offensive cybersecurity tools.
✨ Key Takeaway
A suite of powerful iPhone hacking tools — once used for government surveillance or intelligence — has now been weaponised by cybercriminals in global hacking campaigns. The situation highlights the risks of exploit leakage and underscores the importance of keeping devices updated and secure.
No comments:
Post a Comment