🖥️Stalecollected in 10m

Coruna Exploit Endangers iPhones

Coruna Exploit Endangers iPhones
PostLinkedIn
🖥️Read original on Computerworld

💡Elite iPhone exploit Coruna leaks from govts to criminals—patch iOS now or risk data theft.

⚡ 30-Second TL;DR

What Changed

Zero-click compromise via website using 5 exploit chains and 23 vulnerabilities.

Why It Matters

Demonstrates how elite nation-state exploits inevitably leak to mass criminals, undermining global security. Urges universal patching as no hack is safely containable.

What To Do Next

Enable Lockdown Mode on all iOS development devices to block Coruna-like exploits.

Who should care:Developers & AI Engineers

🧠 Deep Insight

Web-grounded analysis with 8 cited sources.

🔑 Enhanced Key Takeaways

  • Coruna first observed in February 2025 by a customer of a commercial surveillance vendor, using a novel JavaScript framework for device fingerprinting[1][2][3][4].
  • In July 2025, deployed in watering hole attacks on Ukrainian websites by suspected Russian espionage group UNC6353[2][3][5].
  • By December 2025, repurposed by a China-based financially motivated actor via fake gambling and crypto scam sites[1][3][4][5].

🛠️ Technical Deep Dive

  • Includes device fingerprinting to identify iPhone models and iOS versions, automatic selection of compatible WebKit vulnerabilities, and bypasses for Apple protections like pointer authentication[2].
  • Uses custom encryption and compression for payload delivery, with a binary loader (PlasmaLoader) that installs into system processes[2][4].
  • Payload scans images for QR codes, searches text blobs (e.g., Apple Memos) for BIP39 phrases, keywords like 'backup phrase' or 'bank account', and exfiltrates crypto wallet data from apps like Metamask and BitKeep[2][4][5].
  • Delivers via hidden iFrame on websites, starting with CVE-2024-23222, combining 23 exploits (some unassigned CVEs) across five chains from iOS 13.0 to 17.2.1[3][4].
  • Features well-engineered framework with obfuscated exploits, inline documentation in native English, and debug versions revealing internal name 'Coruna'[3][4][6].

🔮 Future ImplicationsAI analysis grounded in cited sources

Active market for second-hand zero-day exploits will proliferate advanced iOS attacks
GTIG observed Coruna circulating from surveillance vendors to nation-states and criminals, indicating unclear sharing mechanisms enable reuse by diverse actors[1][3][4].
Slow iOS update adoption will sustain mass infections on 26% of devices
Article notes 26% of recent iPhones remain vulnerable post-iOS 26 patch, exacerbated by Coruna's broad targeting without specific links[1].
Nation-state tools leaking to criminals will increase financial crime scale
iVerify links Coruna's US-affiliated codebase to mass criminal use, shifting from espionage to financial theft like crypto data exfiltration[1][6].

Timeline

2019-09
iOS 13.0 released, marking start of vulnerable version range
2025-02
GTIG first observes Coruna used by surveillance vendor customer
2025-07
Deployed in watering hole attacks by Russian group UNC6353 against Ukrainians
2025-12
Repurposed by China-based actor on fake gambling/crypto sites
2023-12
iOS 17.2.1 released, upper limit of Coruna's target range
2026-03
GTIG and iVerify publicly disclose Coruna exploit kit details
📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Related Updates

AI-curated news aggregator. All content rights belong to original publishers.
Original source: Computerworld