Overview
- Google’s Threat Intelligence Group recovered the full Coruna package, documenting five exploit chains and 23 vulnerabilities that abuse WebKit to compromise iPhones running iOS 13 through 17.2.1.
- Use of the kit progressed from a surveillance-vendor customer in February 2025 to suspected Russian watering‑hole attacks on Ukrainian sites in July, then to a December 2025 criminal operation on Chinese‑language gambling and crypto pages.
- Google analyzed the delivered stager, which could decode QR codes, search for terms such as “backup phrase” or “bank account,” and run modules to exfiltrate data from cryptocurrency wallet apps.
- iVerify cites code overlaps with previously U.S.-attributed tooling and estimates about 42,000 devices were compromised in the for‑profit campaign, while Google highlights signs of a secondary market for zero‑day exploits.
- Apple has patched the relevant flaws in iOS 26; Coruna avoids executing when Lockdown Mode or private browsing is detected, so researchers advise updating or using these protections if upgrading is not possible.