Google cybersecurity researchers are urging iPhone users to update their devices to the latest version of iOS immediately. This comes after the Google Threat Intelligence Group (GTIG) discovered a dangerous exploit kit that targets a wide range of older iPhone software versions. The warning comes as geopolitical tensions, including the ongoing conflict in the Middle East, raise concerns that cyber tools may be used in targeted surveillance or espionage campaigns.
GITG researchers have recently discovered an exploit kit called Coruna that targets iPhones running iOS 13 through iOS 17.2.1. The toolkit includes multiple vulnerabilities that attackers can use to gain control of a device and extract sensitive data. According to Google, the exploit kit does not work on the latest version of iOS, which is why the company is advising users to update their devices immediately.
What Google cybersecurity researchers discovered
In a report, GITG researchers have revealed that the Coruna exploit kit contains five full exploit chains and 23 separate exploits that allow attackers to compromise different versions of iOS. Google researchers said the toolkit uses a combination of browser-based vulnerabilities and system-level exploits to gain access to a device.
The attack process typically begins when an iPhone user visits a malicious or compromised website.
A hidden script then identifies the device type and the iOS version running on it. Based on this information, the system delivers a specific exploit designed to work on that device.
Google said one of the vulnerabilities used in the attacks (CVE-2024-23222) was a zero-day before Apple fixed it in iOS 17.3. GTIG said the exploit toolkit appears to have circulated among several different threat actors over time.
Researchers first identified parts of the exploit chain in February 2025, when it was being used by a customer of a commercial surveillance vendor. Later in the year, the same toolkit was used in attacks targeting Ukrainian users, which researchers linked to a suspected Russian espionage group known as UNC6353.
By late 2025, the exploit kit was also observed in campaigns run by a financially motivated threat actor operating out of China, tracked by Google as UNC6691. In those cases, the attacks were delivered via fake financial and cryptocurrency websites designed to lure iPhone users to visit them.
Researchers said the spread of the toolkit across different groups suggests an active market for reused or resold cyber-espionage tools.
How hackers haver used this iPhone security flaw to steal financial data
As per the GITG report, once the exploit chain successfully compromised a device, it deployed a program called PlasmaLoader that enabled attackers to collect sensitive information.
According to Google’s analysis, the malware was designed to search for financial data and cryptocurrency wallet information stored on the device. It could scan notes, images, and text files for keywords such as “backup phrase” or “bank account,” and transmit the information to attacker-controlled servers.
The malware also included modules capable of extracting data from several cryptocurrency wallet apps, including MetaMask, Trust Wallet, Phantom, Exodus, and Uniswap.
Google said the Coruna exploit kit cannot compromise devices running the latest version of iOS, making software updates one of the simplest ways for users to protect themselves.
the Google Threat Intelligence Group said in its report.
For users who cannot update their devices immediately, researchers also recommend enabling Lockdown Mode, a security feature designed to reduce exposure to targeted attacks.
Google said the discovery highlights how advanced cyber tools can be transferred between different actors, including surveillance companies, espionage groups, and financially motivated attackers.
The company said that sharing research on these exploit kits is intended to raise awareness and encourage stronger security practices across the industry.
For everyday iPhone users, researchers say the advice remains straightforward: keep devices updated, avoid suspicious websites, and enable additional security protections when possible.
