Security researchers say a powerful iPhone hacking framework once tied to surveillance operations is now being used in criminal campaigns to steal cryptocurrency and sensitive data from users.
The exploit kit, known as Coruna, reportedly contains multiple exploit chains capable of compromising vulnerable iPhones through malicious websites.
Hackers Target WebKit and Older iOS Versions
According to analysis from Google Threat Intelligence Group and mobile security company iVerify, the framework includes:
- Five full exploit chains
- 23 known iOS vulnerabilities
- Techniques that bypass several Apple security protections
The attacks target WebKit, the browser engine used by all iOS browsers. That means simply visiting a malicious web page could compromise devices running older iOS builds.
Once triggered, the exploit chain escalates privileges from the browser to kernel-level access, allowing attackers to install malware with root permissions.
From Surveillance Tool to Criminal Weapon
Researchers first detected fragments of the framework in early 2025 during a surveillance operation reportedly linked to a customer of a spyware vendor.
Later that year, the exploit appeared again in a suspected Russian intelligence campaign targeting Ukrainian websites. The malicious code was hidden inside a visitor-counting widget that silently infected selected iPhone users.
More recently, the framework has been reused in criminal operations targeting Chinese-language cryptocurrency and gambling sites.
40,000+ Devices Potentially Infected By "Coruna."
Security firm iVerify estimates that a single crypto-focused campaign infected roughly 42,000 devices, based on connections to command-and-control servers used by the attackers.
Once a device is compromised, hackers can search for cryptocurrency wallets, steal exchange login credentials, extract photos and email data.
Researchers say the underlying exploit framework is highly sophisticated, while the criminal malware added on top appears much simpler, suggesting different groups are reusing the same exploit platform.
Possible Links to Earlier Spyware Campaigns
The code used in Coruna reportedly overlaps with components from Operation Triangulation, a major iPhone espionage campaign discovered in 2023.
Some researchers believe the framework may have originally been developed for government or intelligence use before leaking into the wider exploit marketplace.
Experts compare the situation to the leak of EternalBlue, which later powered large-scale cyberattacks such as WannaCry.
How Government-Grade iPhone Exploits End Up in Criminal Hands
Researchers say the incident highlights a growing “second-hand” market for zero-day exploit frameworks.
Tools originally created for intelligence agencies or law enforcement may eventually be resold through exploit brokers, sometimes ending up in the hands of rival governments or cybercriminal groups.
While Apple has patched the known vulnerabilities used by Coruna in current iOS versions, security experts warn that the techniques behind the framework could continue to evolve.
Users running older versions of iOS remain the most vulnerable. To avoid vulnerabilities, users must keep devices fully updated with the latest security patches.
Thank you for being a Ghacks reader. The post Leaked iPhone Spyware ‘Coruna’ Now Steals Crypto and Sensitive User Data appeared first on gHacks.
☞ El artículo completo original de Arthur Kay lo puedes ver aquí