Sophisticated iPhone Hacking Tool Falls into Hands of Chinese Cybercrime Group

A highly sophisticated iPhone hacking tool has been discovered to be in the hands of a financially motivated cybercrime group in China.

The toolkit, which was initially developed for the US government, contains 23 exploits and targets Apple devices running iOS versions 13 to 17.2.1.

According to Google's Threat Intelligence team, the toolkit is part of an exploit kit called Coruna (CryptoWaters) that uses a very sophisticated level of engineering to evade detection.

The Coruna exploit kit was first detected in Ukraine in July 2025 and later in China in December 2025 via a fake financial site. It targets iPhone/iPad users through a hidden iFrame and loads the PlasmaLoader malware, which can steal crypto wallets such as MetaMask and Exodus.

The installed implant is also capable of taking over system processes such as powerd, locationd, SpringBoard, and even popular applications like WhatsApp.