It turns out that the hacking tool group 'Coruna' that is believed to have been developed by the US government was exploited and targeted at iPhones
Google security researchers have identified a powerful set of hacking tools they've dubbed 'Coruna' that can compromise iPhones running outdated software, and which they believe have been passed on to cybercriminals by US government customers.
Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit | Google Cloud Blog
iVerify Details First Known Mass iOS Attack
https://iverify.io/press-releases/first-known-mass-ios-attack
A suite of government hacking tools targeting iPhones is now being used by cybercriminals | TechCrunch
https://techcrunch.com/2026/03/03/a-suite-of-government-hacking-tools-targeting-iphones-is-now-being-used-by-cybercriminals/
A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals | WIRED
https://www.wired.com/story/coruna-iphone-hacking-toolkit-us-government/
Coruna contained five hacking techniques that could bypass all of the iPhone's defenses and covertly install malware on the device when a website containing the exploit code was visited.
Coruna was a rare collection of hacking components that exploited 23 different vulnerabilities in iOS, and its complexity suggests it was created by a well-funded, possibly state-sponsored, group of hackers.
While it is unclear how these tools were leaked or spread, mobile security company iVerify obtained the hacking tools and independently reverse-engineered them. Based on the results, iVerify pointed out that Coruna 'bears similarities to frameworks previously developed by threat actors associated with the U.S. government.' The company believes that tools originally intended for counter-terrorism purposes and used only against criminals have fallen into the hands of many people due to poor government management or the tool's developer's profit potential.
iVerify says, 'We saw this exact same thing happen with EternalBlue, an exploit for Microsoft Windows developed by the National Security Agency (NSA).' EternalBlue exploited a zero-day vulnerability that allowed it to gain access to a large number of network-connected Windows devices. The NSA, which developed it, intentionally did not report the vulnerability to Microsoft and instead used it in its own cyber operations for several years. However, a hacker group stole EternalBlue, and although Microsoft quickly released a patch after being notified of the vulnerability, EternalBlue was sold and used to infect unpatched systems.
The attack tool 'EternalBlue' that spread the ransomware 'WannaCry' is spreading smoothly - GIGAZINE
Coruna targets a vulnerability in Apple's WebKit framework for browsers, which was fixed in iOS 26, but Safari users running older versions of iOS are still vulnerable.
Google security researchers point out that 'Coruna checks whether Apple's strictest security setting, ' Lockdown Mode ,' is enabled and will not attempt hacking if it is enabled,' but despite these limitations, iVerify says that 'Coruna has likely infected tens of thousands of smartphones.' iVerify worked with a partner with access to network traffic to investigate Coruna, which is used on Chinese-language websites, and found that the scale of connections suggests that at least approximately 42,000 devices may have already been hacked by this toolkit.
'Coruna is highly sophisticated and appears to have cost millions of dollars to develop,' said Rocky Cole, co-founder of iVerify. 'In addition, the code suggests it is highly likely a US government tool that was developed and then lost control, potentially allowing it to be used by both US adversaries and cybercriminal groups.'
Related Posts:
in Security, Posted by log1p_kr