{"id":1512,"date":"2026-03-04T03:37:00","date_gmt":"2026-03-04T03:37:00","guid":{"rendered":"https:\/\/owspakistan.com\/?p=1512"},"modified":"2026-03-04T09:16:09","modified_gmt":"2026-03-04T09:16:09","slug":"coruna-iphone-hacking-toolkit-us-government","status":"publish","type":"post","link":"https:\/\/owspakistan.com\/?p=1512","title":{"rendered":"A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals"},"content":{"rendered":"
\n

Google notes that Apple patched vulnerabilities used by Coruna in the latest versions of its mobile operating system, iOS 26<\/a>, so its exploitation techniques are only confirmed to work against iOS 13 through 17.2.1. It targets vulnerabilities in Apple’s Webkit framework for browsers, so Safari users on those older versions of iOS would be vulnerable, but there’s no confirmed techniques in the toolkit for targeting Chrome users. Google also notes that Coruna checks if an iOS devices has Apple’s most stringent security setting, known as Lockdown Mode<\/a>, enabled, and doesn\u2019t attempt to hack it if so.<\/p>\n

Despite those limitations, iVerify says Coruna likely infected tens of thousands of phones. The company consulted with a partner that has access to network traffic and counted visits to a command-and-control server for the cybercriminal version of Coruna infecting Chinese-language websites. The volume of those connections suggest, iVerify says, that roughly 42,000 devices may have already been hacked with the toolkit in the for-profit campaign alone.<\/p>\n

Just how many other victims Coruna may have hit, including Ukrainians who visited websites infected with the code by the suspected Russian espionage operation, remains unclear. Google declined to comment beyond its published report. Apple did not immediately provide comment on Google or iVerify’s findings.<\/p>\n

A Single, Very Professional Author<\/p>\n

In iVerify’s analysis of the cybercriminal version of Coruna\u2014it didn’t have access to any of the earlier versions\u2014the company found that the code appeared to have been altered to plant malware on target devices designed to drain cryptocurrency from crypto wallets as well as steal photos and, in some cases, emails. Those additions, however, were \u201cpoorly written\u201d compared to the underlying Coruna toolkit, according to iVerify chief product officer Spencer Parker, which he found to be impressively polished and modular.<\/p>\n

\u201cMy God, these things are very professionally written,\u201d Parker says of the exploits included in Coruna, suggesting that the cruder malware was added by the cybercriminals who later obtained that code.<\/p>\n

As for the code modules that suggest Coruna\u2019s origins as a US government toolkit, iVerify\u2019s Cole notes one alternative explanation: It’s possible that the overlaps between Coruna’s code and the Operation Triangulation malware, which Russia pinned on US hackers, could have resulted from Triangulation\u2019s components being picked up and repurposed after they were discovered. But Cole argues that\u2019s unlikely. Many components of Coruna have never been seen before, he points out, and the whole toolkit appears to have been created by a \u201csingle author,\u201d as he puts it.<\/p>\n

\u201cThe framework holds together very well,\u201d says Cole, who previously worked at the NSA, but notes that he’s been out of the government for more than a decade and isn’t basing any findings on his own outdated knowledge of US hacking tools. \u201cIt looks like it was written as a whole. It doesn\u2019t look like it was pieced together.\u201d<\/p>\n

If Coruna is, in fact, a US hacking toolkit gone rogue, just how it got into foreign and criminal hands remains a mystery. But Cole points to the industry of brokers that may pay tens of millions of dollars for zero-day hacking techniques that they can resell for espionage, cybercrime, or cyberwar. Notably, Peter Williams, an executive of US government contractor Trenchant, was sentenced this month to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero<\/a> from 2022 to 2025. Williams\u2019 sentencing memo notes that Trenchant sold hacking tools to the US intelligence community as well as others in the \u201cFive Eyes\u201d group of English-speaking governments\u2014the US, UK, Australia, Canada and New Zealand\u2014though it’s not clear what specific tools he sold or what devices they targeted.<\/p>\n

\u201cThese zero-day and exploit brokers tend to be unscrupulous,” says Cole. \u201cThey sell to the highest bidder and they double dip. Many don\u2019t have exclusivity arrangements. That\u2019s very likely what happened here.\u201d<\/p>\n

\u201cOne of these tools ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay,\u201d Cole concludes. \u201cThe genie is out of the bottle.\u201d<\/p>\n<\/div>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Google notes that Apple patched vulnerabilities used by Coruna in the latest versions of its mobile operating system, iOS 26, so its exploitation techniques are only confirmed to work against iOS 13 through 17.2.1. It targets vulnerabilities in Apple’s Webkit framework for browsers, so Safari users on those older versions of iOS would be vulnerable,<\/p>\n","protected":false},"author":1,"featured_media":1513,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[393,394,395,396],"tags":[214,390,391,388,385,386,389,387,178,392],"class_list":["post-1512","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-security-cyberattacks-and-hacks","category-security-security-news","category-wild-thing","tag-apple","tag-cryptocurrency","tag-cybersecurity","tag-hacking","tag-ios","tag-iphone","tag-malware","tag-nsa","tag-russia","tag-security"],"jetpack_publicize_connections":[],"_links":{"self":[{"href":"https:\/\/owspakistan.com\/index.php?rest_route=\/wp\/v2\/posts\/1512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owspakistan.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owspakistan.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owspakistan.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/owspakistan.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1512"}],"version-history":[{"count":0,"href":"https:\/\/owspakistan.com\/index.php?rest_route=\/wp\/v2\/posts\/1512\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owspakistan.com\/index.php?rest_route=\/wp\/v2\/media\/1513"}],"wp:attachment":[{"href":"https:\/\/owspakistan.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owspakistan.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owspakistan.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}