Хакерський інструмент для злому iPhone атакував українців: хто під загрозою
Cybersecurity experts have reported the discovery of a powerful set of exploits called Coruna, which allows hackers to break into iPhones with outdated software. According to Google, this tool was used in a large-scale hacking campaign targeting Ukrainian users.
The company noted that Coruna was first detected in February 2025. At that time, the tool was used by a contractor providing surveillance services to attempt to hack someone's phone using spyware on behalf of a government client.
A few months later, Google researchers spotted the same set of exploits in a new campaign. This time, it was used by a Russian spy group in a large-scale attack against Ukrainian users.
Later, Coruna was also used by a hacker from China who had financial motives.
Experts note that it is currently unclear how these tools fell into the hands of attackers. At the same time, researchers warn of the formation of a new market for so-called "used" exploits — tools created for government operations that later fall into the hands of cybercriminals.
Mobile security company iVerify obtained and reconstructed this set of tools. In their blog, researchers reported that Coruna has similarities with hacking tools previously linked to the US government.
"The wider the use, the greater the likelihood of leakage," iVerify said. "Although iVerify has some evidence that this tool is a leak from a US government structure, this should not
obscure the realisation that these tools will become publicly available and will be shamelessly exploited by malicious actors."
According to Google, the Coruna kit is particularly dangerous because it allows an iPhone to be hacked simply by visiting a malicious website that contains exploit code. Such attacks can be carried out, for example, by sending a malicious link to the user. This method is known in cybersecurity as a "watering hole" attack.
Experts report that Coruna is capable of hacking iPhones in five different ways. To do this, it uses and combines 23 separate vulnerabilities.
iPhone models with operating system versions from iOS 13 to iOS 17.2.1, which was released in December 2023, are vulnerable.
According to Wired, some components of Coruna were previously used in a hacking campaign called "Operation Triangulation." In 2023, Russian cybersecurity company Kaspersky claimed that the US government had attempted to hack several iPhones belonging to its employees.
Experts emphasise that leaks of hacking tools are rare, but such cases are already known. For example, in 2017, it became known about the leak of tools from the US National Security Agency for hacking computers running the Windows operating system. One of them, the EternalBlue backdoor, was made public and used by cybercriminals in large-scale attacks, including the 2017 WannaCry ransomware attack carried out by North Korea.
