A highly sophisticated exploit targeting iPhones has been uncovered by Google’s Threat Intelligence Group. Dubbed “Coruna,” this hacker kit was initially used by an unknown surveillance company before falling into the hands of malicious actors in China and Russia, according to recent findings.
Researchers at iVerify later determined that the Coruna kit likely originated from a U.S. government framework. While it is not unusual for nations to develop or purchase spyware for intelligence purposes, it is rare for such tools to end up in the hands of cybercriminals.
A Nation-State Level Invasion Kit
Coruna is far from ordinary malware. The kit contains 23 different exploits, which can be combined in various ways to create five distinct exploitation chains. This complexity strongly suggests it was developed by a nation-state actor. Unlike typical spyware, which targets individuals, Coruna is capable of mass compromise, making it the first known mass-attack tool for iOS devices.
The full kit came to light after a Chinese hacker deployed it across several betting and cryptocurrency websites. However, analysis by iVerify revealed that the malware’s documentation was written in native English, pointing to its U.S. origins. The Chinese cybercriminals adapted the kit to steal financial data, media files, and other sensitive personal information from victims’ iPhones.
A Troubling Precedent
Coruna’s trajectory mirrors that of other powerful exploits developed by surveillance vendors, which are often sold to governments before occasionally leaking into the criminal underworld. The most famous example is EternalBlue, a zero-day exploit developed by the U.S. National Security Agency (NSA) that was later used in widespread cyberattacks after it was leaked.
The Coruna kit can compromise iPhones running iOS versions from 13.0, released in September 2019, up to 17.2.1, from December 2023. Apple users are advised to update their devices to the latest iOS version to protect against the exploit. For those unable to update, enabling the “Lockdown Mode” (Isolation Mode) can help mitigate the risk of attack.
As the digital arms race between governments and cybercriminals intensifies, the Coruna leak serves as a stark reminder of the dangers posed by powerful surveillance tools when they escape into the wild. Users should remain vigilant and ensure their devices are protected with the latest security updates.
Source: CanalTech
Like my content? Support me with a tip!
