Podcast Episode
The updates target devices too old to run the latest version of iOS, including iPhone 8, iPhone 8 Plus, iPhone X, iPhone XS, iPhone XS Max, iPhone XR, and several older iPad models. Apple confirmed the patches fix kernel and WebKit vulnerabilities associated with the Coruna exploit.
The kit's origins trace back to L3Harris, a US military contractor, specifically its surveillance division known as Trenchant. Former employees confirmed that Coruna was an internal project name. The kit leaked after Peter Williams, a former general manager at Trenchant, was sentenced to over seven years in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero.
iVerify described the campaign as the first known mass iOS attack, estimating at least forty-two thousand devices were affected. Unlike earlier targeted deployments, the exploit chains contained no geolocation filtering, meaning any vulnerable iPhone visiting compromised pages was at risk.
Apple Rushes Patches to Older iPhones as Government-Grade Exploit Kit Falls Into Criminal Hands
March 12, 2026
0:00
3:50
Apple has released emergency security updates for older iPhones and iPads to address vulnerabilities exploited by the Coruna kit, a sophisticated attack framework originally linked to a US military contractor that has now spread to criminal hackers targeting cryptocurrency wallets.
Apple Patches Legacy Devices Against Coruna Exploit Kit
Apple on Wednesday released iOS 16.7.15, iOS 15.8.7, and their iPadOS counterparts to protect older devices against the Coruna exploit kit, a powerful attack framework containing twenty-three exploits organised into five full attack chains capable of compromising iPhones running iOS 13 through iOS 17.2.1.The updates target devices too old to run the latest version of iOS, including iPhone 8, iPhone 8 Plus, iPhone X, iPhone XS, iPhone XS Max, iPhone XR, and several older iPad models. Apple confirmed the patches fix kernel and WebKit vulnerabilities associated with the Coruna exploit.
From Spy Tool to Criminal Weapon
The Coruna framework was publicly disclosed on March 2nd by Google's Threat Intelligence Group and mobile security firm iVerify in separate but corroborating reports. Google described it as a professionally engineered exploit kit featuring non-public exploitation techniques and mitigation bypasses.The kit's origins trace back to L3Harris, a US military contractor, specifically its surveillance division known as Trenchant. Former employees confirmed that Coruna was an internal project name. The kit leaked after Peter Williams, a former general manager at Trenchant, was sentenced to over seven years in prison for selling eight zero-day exploits to Russian exploit broker Operation Zero.
Mass Criminal Deployment
By late 2025, the kit had migrated from controlled government use to broader criminal deployment. Google tracked it to UNC6691, a China-based financially motivated threat actor that deployed the exploits across fake financial websites. The malware payload, called PlasmaLoader, searches compromised devices for cryptocurrency wallet credentials from apps including MetaMask, Exodus, and Bitget Wallet.iVerify described the campaign as the first known mass iOS attack, estimating at least forty-two thousand devices were affected. Unlike earlier targeted deployments, the exploit chains contained no geolocation filtering, meaning any vulnerable iPhone visiting compromised pages was at risk.
Urgent Action Required
The US Cybersecurity and Infrastructure Security Agency has added three Coruna-related vulnerabilities to its Known Exploited Vulnerabilities catalogue, ordering federal agencies to apply fixes by March 26th. Security researchers stress that Coruna is ineffective against the latest iOS versions and urge all iPhone users to update immediately.Published March 12, 2026 at 10:34am
