Have you ever imagined a magic toolkit containing a key for every lock in your house? That's exactly what the "Coruna" malware package, uncovered by Google's Threat Analysis Group (GTIG), represents. We're not talking about a single, isolated security vulnerability, but a veritable "supermarket" of security exploits that has passed through the hands of Russian spyware vendors and intelligence agencies, all the way to Chinese scammers, in a suspicious journey that reveals how the "used vulnerabilities" market operates in the dark web.
Corona's journey from international espionage to financial theft
The Coruna suite is considered one of the most comprehensive iPhone hacking tools ever publicly documented. Its story began in February 2025 when it was first spotted in the hands of customers of a commercial company specializing in surveillance software. However, like any lethal weapon, it didn't remain in the hands of a single entity; by the summer of 2025, the same tools had appeared in attacks launched by a Russian spy group targeting users in Ukraine through suspicious websites.
Ironically (and alarmingly), what happened later in late 2025 was that these sophisticated technologies fell into the hands of Chinese criminals motivated purely by financial gain. They used them to plant traps on fake cryptocurrency and banking websites. This transfer proves that the malware market is incredibly active, and that vulnerabilities once reserved for states are now available to anyone who can pay, much like buying an old phone from a secondhand market, but with very malicious intent.
Technological intelligence in the service of sabotage
This package isn't just random code; it's highly sophisticated software engineering. When an unlucky user visits a compromised website, the package immediately analyzes their iPhone, identifies its model and operating system version, and then selects…The right bullet“Among the 23 security vulnerabilities stored in its arsenal, to execute the attack with extreme precision.”
This malware targets iOS versions 13.0 through 17.2.1. The attack code is heavily encrypted and wrapped in a custom format created by the developers to complicate the task for security researchers. The developers even included detailed English notes within the code explaining how each part works, indicating a high level of (and malicious) expertise in creating this malware.
This demonstrates how important it is to upgrade your device's operating system to the latest version.
Hackers have their eyes on your wallet (and notes too!)
The ultimate goal of Coruna isn't just spying, but accessing money. The software is designed to link to 18 different cryptocurrency apps to steal credentials. Furthermore, it can decode QR codes from images stored on the device and scan text for seed phrases or keywords like "bank account" or "backup."
What should really alarm you is its ability to scan your Apple Notes app for any sensitive data you might have left there, thinking it was safe. So, if you're still keeping your passwords in Notes, it's time to break this bad habit immediately.
Closure pattern: The hero who didn't wear a cloak
Amidst all this alarming news, one hero has managed to stand out. A Google report confirmed an astonishing fact: once the hacking code detects that the user has activated [the feature/service], “Lockdown Mode” On the iPhone, it pulls back immediately! The package doesn't even attempt to attack, because the strict security restrictions imposed by this pattern make hacking attempts futile and technically costly.
This is a major success for Apple; the lockout mode, which some might find complex or restrictive, has proven to be an impenetrable fortress against 23 sophisticated vulnerabilities. If you feel you are a target or work in a sensitive area, don't hesitate to activate this mode; it literally makes hackers pack their bags and leave.
Source:
6 comment