A US Government iPhone-Hacking Toolkit Is Now in Foreign Spy and Criminal Hands
5 hours ago
- #State-Sponsored Hacking
- #Zero-Day Exploits
- #Cybersecurity
- An iPhone-hacking toolkit named 'Coruna' has been used in multiple mass exploitation campaigns, targeting iOS users via malicious websites.
- Coruna exploits 23 distinct iOS vulnerabilities, indicating it was likely developed by a well-resourced, state-sponsored group.
- Google traces Coruna's components to a 'customer of a surveillance company,' later used by a suspected Russian spy group against Ukrainians, and then by cybercriminals targeting Chinese-speaking victims.
- Evidence suggests Coruna may have originated as a US government tool, with code similarities to the 'Triangulation' operation attributed to the NSA.
- Coruna's sophisticated design and modular structure point to a single, professional author, possibly linked to US contractors.
- The toolkit checks for Apple's Lockdown Mode and avoids devices with it enabled, but has still infected tens of thousands of phones.
- Cybercriminals adapted Coruna to steal cryptocurrency, photos, and emails, though their additions were poorly written compared to the original toolkit.
- The proliferation of Coruna highlights the risks of zero-day exploits being sold on the black market, with brokers selling to the highest bidder.
- Apple has patched vulnerabilities used by Coruna in iOS 26, but older versions (iOS 13–17.2.1) remain vulnerable.
- The case mirrors the EternalBlue leak, raising concerns about the security of government-developed hacking tools falling into adversarial hands.