Coruna: What's behind the new exploit kit for iPhones
“Coruna” is the name of a collection of hacking tools for the iPhone that cracks various iOS versions. Apparently, state actors are behind it again.
(Image: heise online / dmk)
Emergency patch overnight on Thursday: Apple has just released important updates for iPhones and iPads with the old iOS and iPadOS versions 15 and 16. The reason is Coruna, an apparently extremely complex and capable exploit kit that targets Apple devices with older operating systems. The malware was discovered by Google's security team, GTIG (Google Threat Intelligence Group), and the security company iVerify has also published a detailed analysis. Apparently, Apple then noticed that not all vulnerabilities exploited by Coruna had been closed yet – the company reacted with an update. Apple itself provided the fix for iOS and iPadOS 16, while the bug fixes for iOS and iPadOS 15 partly came from external security researchers, including Félix Poulin-Bélanger, who found a serious kernel vulnerability. But what exactly is Coruna, and what can it do with which attacks are still being carried out?
First spies, then criminals
First of all, according to Google, iOS and iPadOS versions are currently no longer affected. According to GTIG, the last vulnerability has not existed since iOS 17.5. However, it is possible that the creators behind Coruna have since delivered updates. GTIG lists a total of 23 different exploits discovered in the exploit kit. It starts with iOS 13 and goes up to iOS 17.4 (including iPadOS in each case). The malware works in the form of a 1-click attack. This means you only have to click on a single link to initiate the infection. The exploit chain is always started in Safari, and a WebKit vulnerability is exploited first. Then, depending on the operating system version, the infection continues in different ways. Coruna acts extremely flexibly and stealthily, tries to avoid log files as much as possible, and masks its code.
Videos by heise
It is still unclear who developed Coruna, but it is likely to be professionals. GTIG writes that the use of the exploit kit by apparently Russian espionage circles in Ukraine could be observed. Later, the malware was also used by criminals apparently operating from China; this involved collecting crypto wallets or passwords and other information about crypto exchanges and other financial institutions.
Malware distribution was still active
Ultimately, Coruna can do anything with an infected iPhone or iPad via its “implants,” as the malware gains full control. Coruna, whose name is said to appear in the code of the exploit kit itself, was first discovered in spring 2025. In summer 2025, watering hole attacks occurred via compromised websites. At the end of 2025, Coruna then appeared in connection with crypto hacks, including being distributed via fake crypto exchange websites.
Security researcher and YouTuber Billy Ellis had a test device infected with Coruna himself and then listened in on the process via an MITM proxy. This showed how dangerous the exploit kit is. Even worse: Apparently, not all infection vectors have been shut down yet; until a few days ago, there were still websites on which the exploit kit was active. Ellis also infected his test device via one such site.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
