Biggest iPhone/iCloud threat in 19 years
A newly reported iPhone/iCloud exploit is being described as the largest iOS threat in nearly two decades, with indications of active exploitation by state actors and capability to bypass standard protections reported. For logistics tenants relying on mobile devices for WMS and last‑mile operations, that raises immediate device‑security and network‑segmentation concerns.
The exploit kit is publicly tracked under the name “Coruna,” and Google’s Threat Intelligence Group reports it bundles five full iOS exploit chains and a total of 23 individual exploits targeting iOS 13.0 through 17.2.1. cloud.google.com Google’s timeline shows parts of the toolkit were first captured in February 2025 from a commercial surveillance‑vendor customer, then observed in a watering‑hole campaign linked to UNC6353 before later appearing in broad campaigns tied to UNC6691. Mobile security firm iVerify independently analyzed samples and estimated roughly 42,000 iPhones were infected in at least one financially‑motivated campaign, a figure iVerify described as unusually large for iOS. Technical analysis from Google shows the delivery chain fingerprints devices in JavaScript, selects a WebKit remote‑code‑execution exploit for that model and then chains kernel or PAC bypasses to fully compromise the device. Apple rolled out emergency security updates for legacy devices on March 11, 2026—publishing iOS 15.8.7 and iOS 16.7.15 advisories that backported fixes originally introduced in iOS 17.3 (the 17.3 fix shipped Jan. 22, 2024). Researchers observed Coruna variants adapted for financial theft, with payloads tailored to locate crypto‑wallets and exchange credentials, and Google says it has added identified Coruna domains to Safe Browsing to block known delivery infrastructure.
