Security researchers report that a powerful iPhone hacking framework once linked to surveillance operations is now being used in criminal campaigns to steal users' cryptocurrency and sensitive data.
This exploit kit, known as Coruna, contains multiple exploit chains that can compromise vulnerable iPhones through malicious websites.
Hackers Targeting WebKit and Older iOS Versions
According to analyses from Google’s Threat Intelligence Group and mobile security company iVerify, the framework includes:
- Five complete exploit chains
- 23 known iOS vulnerabilities
- Techniques that bypass several Apple security protections
The attacks target WebKit, which is used by all iOS browsers. This means that visiting a malicious webpage could compromise devices running older iOS versions.
Once triggered, the exploit chain escalates privileges from the browser to the kernel level, allowing attackers to install malware with root permissions.
From Surveillance Tool to Criminal Weapon
Researchers first detected parts of the framework in early 2025 during a surveillance operation reportedly linked to a spyware vendor's client.
Later that year, the exploit re-emerged in a suspicious Russian intelligence campaign targeting Ukrainian websites. The malicious code was hidden inside a visitor counter widget that silently infected selected iPhone users.
More recently, the framework was reused in criminal operations targeting Chinese-speaking cryptocurrency and gambling sites.
Over 40,000 Devices Potentially Infected by Coruna
The security firm iVerify estimates that a single cryptocurrency-focused campaign has infected approximately 42,000 devices; this estimate is based on connections to command and control servers used by the attackers.
Once a device is compromised, hackers can search for cryptocurrency wallets, steal exchange login credentials, and extract photos and email data.
Researchers note that the core exploit framework is highly sophisticated, while the added criminal software appears much simpler; this suggests that different groups are reusing the same exploit platform.
Possible Connections to Previous Spyware Campaigns
It has been reported that the code used in Coruna overlaps with components from a major iPhone spying campaign discovered in 2023, known as the Triangulation Operation.
Some researchers believe that the framework may have initially been developed for government or intelligence use, later leaking into a broader exploit market.
Experts compare the situation to the EternalBlue leak, which later led to large-scale cyberattacks like WannaCry.
How State-Level iPhone Exploits End Up in Criminal Hands
Researchers point out that the incident highlights a growing “second-hand” market for zero-day exploit frameworks.
Tools originally created for intelligence agencies or law enforcement can be resold over time into the hands of exploit brokers and sometimes end up in the hands of rival governments or cybercrime groups.
Although Apple has patched known vulnerabilities used by Coruna in current iOS versions, security experts warn that the techniques behind the framework may continue to evolve.
Users running older iOS versions remain the most vulnerable. To avoid vulnerabilities, users need to keep their devices fully updated with the latest security patches.
![User Experience: There's a Feature I Looked for in This MagSafe Battery [Video]](/resimler/kullanici-deneyimi-bu-magsafe-bataryada-aradigim-bir-ozellik-var-video.jpg)
![The CardPointers app can now integrate with ChatGPT and more [50% off]](/resimler/cardpointers-uygulamasi-artik-chatgpt-ve-daha-fazlasi-ile-entegre-olabiliyor-yuzde-50-indirim.webp)
Comments
(3 Comments)