Google's Threat Analysis Group Exposes 'Coruna' — An iOS Exploit Kit Packing 23 Zero-Day Vulnerabilities
Google TAG reveals a sophisticated commercial spyware vendor using a chain of 23 previously unknown iOS exploits to compromise iPhones without user interaction.
The Most Dangerous Spyware Kit Ever Documented
Google's Threat Analysis Group has published a detailed report on what it calls the most sophisticated commercial spyware operation it has ever encountered. Dubbed "Coruna" by Google researchers, the exploit kit chains together 23 previously unknown zero-day vulnerabilities in iOS to achieve full device compromise — without requiring the target to click a link or open an attachment.
The zero-click attack chain targets iMessage processing, WebKit rendering, and kernel-level system services across iOS 17 and iOS 18. Once deployed, the spyware gains complete access to messages, calls, photos, real-time location, microphone, and camera. It persists across reboots and can survive iOS updates in some configurations.
Who Built It and Who Bought It
Google TAG attributes Coruna to a previously unknown commercial surveillance vendor operating out of Southern Europe. The company markets its product exclusively to government clients as a "lawful intercept" solution, but Google's research found evidence of deployment against journalists, opposition politicians, and human rights lawyers across at least eight countries.
The scale of the zero-day chain is unprecedented. Previous commercial spyware operations like those from NSO Group and Intellexa typically relied on chains of three to five exploits. Coruna's 23-exploit chain suggests a vendor with extraordinary technical resources and a deep pipeline of vulnerability research.
Apple's Response
Apple was notified through Google's standard responsible disclosure process and has patched the majority of the exploited vulnerabilities in iOS 18.4, released this week. However, Google notes that at least three of the kernel-level exploits target architectural assumptions in Apple's Secure Enclave Processor, and full mitigation may require hardware-level changes in future iPhone generations.
Users are strongly advised to update to iOS 18.4 immediately. For high-risk individuals — journalists, activists, and political figures — Apple's Lockdown Mode provides additional protections against this class of attack.
Sources: Google TAG Blog (March 6, 2026), Ars Technica (March 6, 2026), Wired (March 6, 2026)