Recent findings by Google reveal that vulnerabilities exploited by the Coruna toolkit have been patched by Apple in the current versions of its iOS operating system, specifically iOS 26. As a result, the techniques used by Coruna are only confirmed to affect devices running iOS versions 13 through 17.2.1. This cyber toolkit primarily targets weaknesses in Apple’s WebKit framework, which means that users of Safari on these older iOS versions remain exposed. Notably, Google has indicated there are no confirmed methods in Coruna for targeting Chrome users. Furthermore, Coruna has a mechanism to detect if the Lockdown Mode, Apple’s privacy-centric security setting, is enabled on a device and refrains from initiating an attack if it is.
In light of these limitations, iVerify estimates that Coruna may have successfully infected tens of thousands of devices. The firm collaborated with a partner possessing access to relevant network traffic and determined that visits to a command-and-control server associated with the cybercriminal version of Coruna were notably high—a pattern observed with Chinese-language websites. Their analysis suggests that approximately 42,000 devices may have been compromised during Coruna’s profit-driven campaign.
The full scope of Coruna’s impact, particularly concerning additional potential victims such as Ukrainians accessing compromised websites linked to suspected Russian espionage activities, remains unclear. While Google has chosen not to comment further than its published report, Apple has not yet responded to inquiries regarding the implications of these findings.
iVerify’s analysis indicates that the malware associated with Coruna has been specifically modified to infiltrate target devices with malicious intent to siphon off cryptocurrency from wallets and steal personal data, such as photographs and emails. According to Spencer Parker, the chief product officer of iVerify, the added functionalities demonstrate subpar coding skills compared to the overall sophistication of the original Coruna toolkit. He characterizes the core exploits of Coruna as exceptionally well-crafted and modular.
Parker notes the professionalism of the underlying code while suggesting that the less refined malware was likely introduced by cybercriminals who acquired the original toolkit. In discussing the origins and potential affiliations of Coruna, iVerify’s Cole raises another possibility regarding its code. He posits that any similarities to the Operation Triangulation malware—attributed by Russia to U.S. hackers—might stem from components that were repurposed after initial exposure. However, Cole emphasizes that such a connection is improbable as many elements of Coruna appear novel, hinting at a cohesive design, likely attributable to a single author.
Cole, who previously served at the NSA, clarifies that his insights are not influenced by outdated knowledge, asserting that the toolkit appears to be a well-constructed entity created in its entirety rather than a compilation of disparate codes. If Coruna represents a U.S. government-developed hacking tool that has been misappropriated, the method by which it fell into criminal hands remains elusive. Cole points to a lucrative market for zero-day exploits, where brokers may spend vast sums to acquire hacking techniques for resale across various sectors including espionage and cybercrime.
Recent legal actions underscore the seriousness of these vulnerabilities, exemplified by the sentencing of Peter Williams, a former executive at U.S. government contractor Trenchant, to seven years in prison for facilitating the sale of zero-day exploits to Russian brokers from 2022 to 2025. His case emphasizes the risks associated with zero-day and exploit brokerages, often characterized by unscrupulous practices and a lack of exclusivity agreements, which can enable tools like Coruna to reach unintended audiences.
In conclusion, it is plausible that Coruna found a buyer among non-Western exploit brokers, who subsequently marketed it to willing purchasers. The revelations surrounding Coruna not only illustrate the sophisticated nature of modern cyber threats but also serve as a stark reminder of the necessity for vigilant cybersecurity measures across organizations. Those in charge of cybersecurity protocols must remain aware of the evolving landscape of attack techniques, as outlined in the MITRE ATT&CK framework, encompassing tactics such as initial access, persistence, and privilege escalation, which may have been utilized in these recent exploitations.