What is the story of the "Coruna" hacking tool that threatens millions of iPhone devices and exposes critical vulnerabilities?
The story of the "Coruna" hacking tool is a dangerous tale of weaponization, illustrating how sophisticated surveillance tools—believed to have been developed for Western governments—were transformed into weapons in the hands of spies and criminal groups to steal cryptocurrencies from millions of iPhone users worldwide.
In the following lines, I will explain the details of this story, starting with the nature of the tool and its severity, moving through how it operates and spreads, and ending with the only confirmed way to protect your device from it.
🕵️♂️ What is the Coruna Tool and Why is it Dangerous?
"Coruna" is a highly complex and professional Exploit Kit used to hack thousands of iPhones throughout 2025. Its danger lies not just in being simple malware, but in being a complete arsenal containing 23 security vulnerabilities distributed across 5 separate attack chains, allowing attackers to gain complete control over the targeted device.
The primary targets are users of iPhones running older operating systems, specifically from iOS 13 (released in 2019) up to iOS 17.2.1 (released in December 2023) . In one campaign alone, which was aimed at generating financial profit, attackers managed to compromise an estimated 42,000 devices.
🔬 How Does the Attack Mechanism Work?
The hacking process resembles a precise surgical operation, relying on several stages:
Luring: The process begins when the victim visits a pre-prepared malicious website. These sites could be fake (such as fraudulent cryptocurrency trading platforms) or legitimate websites that have been compromised.
Device Fingerprinting: Upon entering the site, a JavaScript framework takes a "fingerprint" of the victim's device, accurately identifying the iPhone model and the version of the operating system.
Executing the Attack: Based on the fingerprint, the appropriate attack chain is triggered. It starts by exploiting a vulnerability in the Safari browser (WebKit RCE) to execute malicious commands, followed by other vulnerabilities to jailbreak the device and bypass iOS security systems.
The Final Goal - Theft: After gaining control of the device, final malware called "PlasmaLoader" is installed. This malware's mission is to infiltrate the system, search through applications, and steal digital wallet keys (such as those for MetaMask and Trust Wallet) and secret recovery phrases (seed phrases) from the Notes app as well.
🔄 The Tool's Journey: From Governments to Organized Crime
What makes the Coruna story particularly alarming is its unusual journey between the hands of different parties, as revealed by Google's investigations:
The Beginning (February 2025): Parts of the tool were first observed being used by a customer of a surveillance company, indicating that a tool of this complexity was originally sold to a government for use in limited espionage operations.
Phase Two (Summer 2025): The tool reappeared, this time in targeted attacks against Ukraine, attributed to a Russian espionage group named UNC6353. The malicious code was injected into dozens of compromised Ukrainian websites.
Phase Three (Late 2025): In a shocking development, the tool was used in its entirety in large-scale attacks by a Chinese criminal group named UNC6691, with the aim of stealing cryptocurrencies from victims through fraudulent websites.
🕹️ What Protects Your Device Now?
The good news is that this tool no longer poses a threat if your device is updated. Apple has patched all these security vulnerabilities in the latest versions of the operating system.
The Definitive Solution: Update your device immediately to the latest available version of iOS. Google's and cybersecurity experts' advice is unequivocal: this is the only action that guarantees your protection definitively.
Additional Protection (Lockdown Mode): If your device is old and cannot be updated, or if you want an extra layer of protection, you can activate Lockdown Mode on your iPhone. This mode prevents the tool from working even if you visit a malicious site.
I hope this explanation has clarified the full story of this dangerous tool. If you have any other questions, please do not hesitate to ask.
No comments:
Post a Comment