Cybersecurity experts have uncovered a powerful new hacking tool that can secretly take control of iPhones.
The spyware, dubbed 'Coruna,' was first identified by researchers at Google's Threat Intelligence Group (GTIG), which shared its findings on Tuesday.
Researchers said the spyware can target devices running iOS versions released between 2019 and late 2023, urging affected users to update their phones immediately.
GTIG has been tracking the tool since 2025, and cybersecurity firm iVerify theorized it may have originally begun as a US government surveillance tool that later leaked.
The toolkit contains more than 20 vulnerabilities that can be used to break into Apple devices, allowing hackers to bypass built-in security protections.
The attack was designed in part to exploit Apple's Safari browser and can be triggered in several ways, including when a user clicks on a malicious link.
Once activated, the system can steal pieces of text and potentially access sensitive information such as photos, notes and financial data stored on the device.
In July 2025, a Russian espionage group used the tool to hijack Ukrainian websites, while Chinese hackers allegedly deployed it through fake cryptocurrency platforms targeting unsuspecting users, according to PCMag.
Once triggered, the system can access personal files such as photos, notes and financial data stored on the phone
'Coruna is one of the most significant examples we've observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations,' iVerify shared in a blog.
According to GTIG, the weaknesses allow attackers to bypass built-in protections and gain deep access to a device without the user realizing it.
Researchers at cybersecurity firm iVerify conducted their own investigation into the same spyware and say their findings support Google's report.
They believe the technology is unusually advanced and resembles tools normally used in high-level surveillance operations.
But in this case, the same techniques appear to have spread beyond their original purpose and ended up in the hands of multiple hacking groups.
The team said this type of spread is becoming increasingly common. Surveillance software created for intelligence operations can sometimes leak or be sold through underground markets.
Once that happens, the same powerful tools can quickly be used by cybercriminals to target everyday users.
The attack was designed in part to exploit Apple's Safari browser and can be triggered in several ways, including when a user clicks on a malicious link.
The Coruna spyware appears to have been used in several different ways. At first, it was linked to highly targeted attacks believed to involve foreign intelligence groups.
Later, the same technology appeared on fake websites designed to lure visitors into opening them on iPhones.
Anyone using an affected device who visited the site could potentially have their phone compromised.
The attack itself is surprisingly simple from the user's perspective, as researchers said victims only needed to open a malicious website on their iPhone for the attack to begin.
The page secretly checks details about the device, including the model and the version of Apple's software running on it. If the phone is vulnerable, hidden code launches automatically and begins the process of taking control.
Once inside the phone, the spyware installs additional software that allows hackers to collect sensitive information.
The system can then scan photos and notes stored on the device and search for financial details, bank account references, or recovery phrases used to access cryptocurrency wallets.
The malware can also download extra tools from remote servers, allowing attackers to expand their access after the initial infection. In some cases, investigators found modules specifically designed to target popular digital wallet apps and financial platforms.
Security experts said the discovery highlights how quickly mobile threats are evolving. For years, iPhones were considered relatively difficult targets for large-scale hacking campaigns.
But the spread of advanced exploit kits like Coruna suggests that powerful hacking capabilities are becoming more widely available.
Despite the alarming findings, experts say most users can protect themselves by keeping their devices updated.
Google said the exploit kit does not work on the newest versions of Apple's iOS software, which include patches for the vulnerabilities used in the attack.
Researchers recommended that iPhone users install the latest updates as soon as they are available.
For those who cannot update immediately, experts suggest enabling Apple's Lockdown Mode, a security feature designed to block sophisticated hacking attempts.
Daily Mail has contacted Apple for comment.