Have you ever imagined a magical toolbox containing a key for every lock in your house? That’s exactly what the malicious “Coruna” package uncovered by Google’s Threat Intelligence Group (GTIG) represents. We’re not talking about a single fleeting security flaw, but a full-fledged “supermarket” of exploits that have passed through the hands of spyware vendors, Russian intelligence, and even Chinese fraudsters, in a shady journey that reveals how the “used‑vulnerability” market operates in the dark corners of the internet.
Coruna’s Journey from International Espionage to Financial Theft
The Coruna package is one of the most comprehensive iPhone hacking tools ever publicly documented. Its story began in February 2025 when it was first spotted in the hands of clients of a commercial firm specializing in surveillance software. However, like any lethal weapon, it did not stay with a single party; by summer 2025, the same tools appeared in attacks carried out by a Russian espionage group targeting users in Ukraine via suspicious websites.
The ironic (and alarming) twist came later in 2025, when these high‑end techniques fell into the hands of Chinese criminals motivated purely by profit, who used them to plant traps on fake cryptocurrency and banking sites. This shift demonstrates that the malware market is highly active, and vulnerabilities once exclusive to nation‑states are now available to anyone who can pay, much like buying a used phone from a second‑hand market but with far more malicious intent.
Technological Smarts in the Service of Sabotage
This package is not just random code; it is highly sophisticated software engineering. When an unlucky user visits a compromised site, the package immediately analyzes the visitor’s iPhone, determines its model and iOS version. Based on this information, it selects the “right bullet” from among 23 stored vulnerabilities to execute the attack with pinpoint precision.
The package targets iOS versions from 13.0 up to 17.2.1. The attack code is heavily encrypted and wrapped in a custom format devised by the developers to complicate security researchers’ analysis. In fact, the developers left detailed English comments inside the code explaining how each component works, indicating a high (and malicious) level of professionalism in building this software monster.
This underscores how important it is to upgrade your device to the latest version
Hackers Have Their Eyes on Your Wallet (And Your Notes Too!)
Coruna’s ultimate goal is not merely espionage but financial gain. The package is designed to hook into 18 different cryptocurrency apps to steal credentials. Moreover, the software can decrypt QR codes from images stored on the device and scan text for backup passwords (seed phrases) or phrases such as “bank account” or “backup.”
What should truly alarm you is its ability to scour the Apple Notes app for any sensitive data you may have left there, assuming it was safe. So if you still keep passwords in Notes, it’s time to break that bad habit immediately.
Lockdown Mode: The Hero Who Doesn’t Wear a Cape
Amid all these terrifying headlines, there is one hero that has held its ground. Google’s report confirmed a striking fact: as soon as the exploit code detects that the user has enabled “Lockdown Mode” on the iPhone, it immediately backs off! The package doesn’t even attempt an attack, because the stringent security restrictions imposed by this mode render exploitation futile and technically costly.
This is a major testament to Apple’s success; Lockdown Mode, which some may view as cumbersome or restrictive, has proven to be an impregnable fortress that 23 advanced vulnerabilities cannot breach. If you feel you are a target or work in a sensitive field, do not hesitate to enable this mode—it literally forces hackers to pack up and leave.
Source:
Leave a Reply