The irruption of a new iPhone hacking tool called Coruna This has set off alarm bells in the cybersecurity sector. What initially seemed like an arsenal reserved for highly selective operations has ended up being used in much broader campaigns with purely economic motivationsaffecting users in different regions, including the European environment, such as the massive Spotify hack.
According to the analyses published by the Google Threat Intelligence Group (GTIG) and the specialized firm iVerifyCoruna is not a simple isolated exploit, but a complete and modular exploit kit capable of chaining together several iOS vulnerabilities to take control of a device simply by loading a malicious website. This evolution, from state espionage to organized crime, reopens the debate about What happens when so-called "cyber weapons" escape from controlled circuits?.
What is Coruna and which iPhones does it affect?
According to the documentation published by the GTIG, Coruna is an exploit kit specifically designed to attack iPhones with iOS versions between 13.0 and 17.2.1.This is not an isolated failure, but rather a set of components capable of combining to overcome various defenses of the operating system.
Researchers describe five complete attack chains and a total of 23 distinct exploits integrated into the tool. A large part of these attacks are directed against W, the engine used by Safari and other browsers on iPhone, which allows the phone to be compromised simply by visiting a manipulated website without the need for downloads or additional interaction.
One of the characteristics that most worries experts is Coruña's capacity to perform silent infections using "water well" techniquesThis approach involves inserting malicious code into pages that victims regularly visit, so the intrusion occurs discreetly and is difficult for the average user to detect.
When the vulnerability chain is successfully executed, the kit is able to install spyware, deploy different types of malware, and spy on or steal sensitive data stored on the iPhone.Potential targets include messaging, location, access credentialspersonal files and even information used to manage financial services or cryptocurrencies.
Although its historical scope spans from iOS 13.0 to iOS 17.2.1, The latest versions of Apple's operating system would no longer be vulnerable to this specific set of exploits.According to findings released by Google and iVerify, the number of outdated devices still poses a risk, especially in regions with a high concentration of iPhones in daily use.
From selective espionage to massive cybercrime campaigns
The route through Coruña clearly shows how A tool designed for very high-level operations can end up out of controlThe first traces of activity documented by Google's Threat Intelligence Group date back to 2025, when the use of fragments of the kit was detected in what they described as a very limited operation linked to a digital surveillance provider that he would work for some government client.
Over time, the same techniques appeared in attacks targeting Ukrainian usersIn a campaign attributed to the Russian group UNC6353, the attackers embedded the exploit code into Ukrainian web pages, taking advantage of the conflict context and seeking to compromise devices of strategic interest.
Shortly afterwards, the investigators located a more evolved version of the toolkit in the hands of an economically motivated actor operating from China, identified as UNC6691. In that phase, the main purpose ceased to be political surveillance and began to focus on the theft of digital assets, especially cryptocurrencies, taking advantage of the popularity of these services among certain user profiles.
In the campaigns linked to this Chinese group, the operators from Coruna relied on cryptocurrency sites and gambling platforms in Chinese to lure victims. Once the devices were infected, the malware added modules specialized in tracking and extracting data. seed phrases, login credentials, and other data associated with crypto wallets and financial services.
iVerify's analysis estimates that At least 42.000 iPhones may have been compromised in this latest waveThis gives an idea of the leap from discreet operations to much larger-scale campaigns. The case of A Coruña illustrates how Top-level exploits cease to be exclusive to intelligence agencies when they begin to be shared, resold, or leakedmultiplying its impact on ordinary users.
How Coruna technically works on iPhones
On a technical level, Coruna presents itself as a modular system, designed to adapt to different objectives and environmentsOperators can combine different components depending on the type of attack they want to carry out: prolonged surveillance, theft of financial information, obtaining initial access for subsequent operations, among other scenarios.
The process usually starts when the user accesses a page that has been compromised with exploit scriptsFrom there, the kit exploits vulnerabilities in WebKit and other iOS components to execute the first link in the chain. This initial step opens the door to other exploits that gradually escalate privileges within the system.
Once they have obtained sufficient permissions, attackers have the ability to install spyware, log keystrokes, exfiltrate documents, or intercept communicationsIn the variants used by groups for economic purposes, a special interest has been observed in monitoring financial applications, cryptocurrency portfolio managers, and mobile banking services.
The analyses also indicate that Coruna incorporates checks to detect if the iPhone has Apple's Lock Mode or Isolation Mode activatedIf it identifies that this advanced protection feature is in use—common among journalists, activists, government staff, or executives—the kit may choose not to run the infection to reduce the risk of being detected and analyzed by experts.
Despite the level of sophistication, the researchers emphasize that The actual effectiveness of the kit is limited by the updates that Apple has been rolling out.The company has corrected each of the vulnerabilities exploited by Coruna, so that The latest versions of iOS would no longer be susceptible to these specific attack chains.The problem, as is often the case, lies with those devices that still haven't been updated.
Possible links to exploitation frameworks used by the NSA
One of the most delicate issues in the case has to do with the possible origin of Coruna and its similarities to state intelligence toolsGoogle has been cautious in its public reports and avoids directly pointing to any country, but the company iVerify has gone a step further in its technical assessments.
After reverse-engineering a variant of Coruna used in cryptocurrency-focused campaigns, known as CryptoWaters, iVerify analysts detected parallels with frameworks previously associated with the United States National Security Agency (NSA)These similarities would range from coding patterns to the way in which various vulnerabilities are chained together.
iVerify co-founder Rocky Cole has indicated that the level of technical complexity and the estimated development cost They point to an entity with resources far exceeding those of a typical criminal group. Furthermore, the analyzed code exhibits features that suggest that It would have been written by English-speaking programmersThis coincides with other frameworks attributed in the past to Western intelligence operations.
During the analysis, the following were also identified: similarities between parts of Coruna and components used in the so-called Operation TriangulationA campaign discovered in 2023 targeted iOS devices belonging to employees of the cybersecurity firm Kaspersky. At the time, the Russian government publicly accused the NSA of being behind the attacks, although Washington neither confirmed nor denied the accusations.
Even so, experts point out that Attribution in the field of cybersecurity is extremely complexWithout conclusive evidence, the connections should be treated with caution. What does seem clear is that developing an arsenal like the one in Coruna would have required an investment of millions of dollars and specialized teams working for years, something that fits better with the profile of a state actor than with that of an improvised group.
The risk of cyber weapons leaking onto the black market
Regardless of who was initially behind the development, the Coruna case reignites a recurring fear in the security community: the possibility that tools created for state espionage may end up circulating freelyWhen that happens, they cease to be a problem limited to geopolitical conflicts and begin to affect companies, administrations, and citizens of many countries.
One often-mentioned precedent is EternalBlue, the exploit developed by the NSA that was stolen and leaked in 2017That tool, theoretically intended for highly controlled operations, ended up being used in massive attacks such as WannaCry and NotPetyacausing disruptions in hospitals, businesses and public bodies around the world, including Europe, and subsequent episodes such as the great Netflix hack.
Some specialists believe that Coruna could mark a similar turning point in the mobile ecosystemThis demonstrates that extremely sophisticated exploit kits can end up integrated into cybercrime campaigns targeting ordinary users. The difference is that, in this case, the primary target is phones, which have become central to much of our digital lives.
Reports from Google and iVerify point to the possible existence of an active market for “second-hand” exploitsIn this process, exploitation frameworks initially used by agencies or surveillance providers pass into the hands of other actors through intermediaries. Once a tool enters this circuit, experts emphasize, It is virtually impossible to regain control over who uses it and for what purposes.
This dynamic forces us to rethink the balance between the accumulation of vulnerabilities for offensive purposes and the responsibility to report them to the manufacturers. Every time a decision is made not to report a critical failure, it is assumed that this information will remain under control, something that cases like Coruña's seriously call into question.
An opaque market for exploits and its impact in Spain and Europe
Behind episodes like the one in Coruna, one can often find a poorly regulated international market for vulnerability brokersThese intermediaries buy exploits and intrusion tools for very high sums and then resell them to governments, surveillance companies, or even criminal actors operating on their own.
Recently, the sentence was announced Seven years in prison for an executive of the American company Trenchantafter it was proven that he had sold hacking tools to a Russian intermediary specializing in zero-day exploits. Cases like this illustrate how blurred the line can be between the cybersecurity industry, intelligence operations, and the black market.
In the European context, and particularly in Spain, this reality has direct implications. The iPhone is used massively for Digital banking, two-step authentication, access to public services, and corporate information managementIf a tool like Coruna falls into the hands of profit-driven groups, the risk is no longer just the loss of privacy, but also unauthorized money transfers, identity theft, or leaks of sensitive data.
Experts warn that even if the specific vulnerabilities exploited by Coruna are patched, The knowledge and frameworks developed around this kit can be reused to adapt to new flaws in later versions of iOS. In other words, the danger doesn't disappear, but rather evolves over time along with the system updates themselves.
In an environment where Many small and medium-sized European companies continue to rely on mobile devices for critical tasksThe infection of a single outdated iPhone can serve as a gateway to internal networks, management systems, or document repositories. This vulnerability makes mobile security a key element of any cybersecurity strategy.
How to protect your iPhone against Coruna and similar threats
The relatively positive aspect of the case is that Coruna is no longer effective against the latest versions of iOSThanks to the fixes Apple has been implementing, this has improved. However, as long as a significant number of devices continue to run unpatched versions of iOS 13, 14, 15, 16, or early versions of iOS 17, the operators of these types of kits will maintain a base of potential victims.
For users in Spain and the rest of Europe, the first line of defense is clear: Keep your iPhone always updated to the latest iOS version available for your deviceMany attacks of this type remain profitable because a significant portion of the mobile phone market remains stuck on older versions for months or even years.
In cases where it is not possible to install the latest version—due to compatibility with internal applications, corporate restrictions, or older iPhone models—, Activating Apple's Lockdown Mode can add an extra layer of protectionThis function reduces the attack surface by disabling certain behaviors that are commonly exploited by advanced exploit kits.
It is also advisable to take extra precautions. caution when visiting unreliable websites or clicking on links from dubious sourcesThis is especially important if the device is used for sensitive operations such as managing bank accounts, investments, or cryptocurrency wallets. Although Coruna requires no more interaction than loading the page, reducing exposure to risky sites lowers the chances of falling victim to a "waterhole" scam.
In the corporate sector and in public administrations, Centralized management of security policies and updates in iOS is essentialMaintaining up-to-date device inventories, applying patches in a coordinated manner, and limiting the use of older versions are key steps to reducing the attack surface that these types of tools can exploit.
The case of the iPhone hacking tool called Coruna This reflects how an extremely advanced exploit kit can go from discreet surveillance operations to becoming part of the arsenal of various groups—from government-linked suppliers to Russian and Chinese cybercriminals—in just a few years. Although Apple has closed most of the exploited vulnerabilities in the latest versions of iOS, The existence of thousands of outdated devices in Europe keeps the risk alive and emphasizes the need to combine updates, advanced protection features, and prudent browsing habits to avoid taking mobile security for granted.
