Full Report
A highly sophisticated set of iPhone hijacking techniques has likely infected tens of thousands of phones or more. Clues suggest it was originally built for the US government.
Analysis Summary
# Tool/Technique: Coruna
## Overview
Coruna is a highly sophisticated iOS exploit kit and hacking framework designed for "waterhole" attacks. It enables the silent, remote infection of iPhones when a user visits a compromised website. Originally linked to high-end surveillance operations, the toolkit has proliferated across diverse threat landscapes, moving from suspected state-sponsored espionage to profit-motivated cybercrime.
## Technical Details
- **Type:** Exploit Framework / Malware Toolkit
- **Platform:** iOS (iPhone)
- **Capabilities:** Remote Code Execution (RCE), Sandbox Escape, Kernel Privilege Escalation, and Spyware Delivery.
- **First Seen:** Components spotted Feb 2025; Full toolkit active July 2025 (as reported in March 2026).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise]
- **[TA0002 - Execution]**
- [T1203 - Exploitation for Client Execution]
- **[TA0004 - Privilege Escalation]**
- [T1068 - Exploitation for Privilege Escalation]
- **[TA0005 - Defense Evasion]**
- [T1620 - Reflective Code Loading]
- **[TA0009 - Collection]**
- [T1512 - Screen Capture]
- [T1430 - Location Scanning]
## Functionality
### Core Capabilities
- **Multi-Stage Exploitation:** Utilizes a chain of up to 23 distinct vulnerabilities to achieve a full device takeover.
- **Watering Hole Delivery:** Injected into legitimate websites (e.g., visitor counters on Ukrainian sites) to target specific demographics.
- **Silent Installation:** Operates without any user interaction ("zero-click" style interaction once the site is loaded).
### Advanced Features
- **Exploit Versatility:** Includes five complete, modular hacking techniques capable of bypassing modern iOS security mitigations.
- **Stealth Preservation:** Designed to leave minimal traces; components are often run in memory to avoid disk-based detection.
- **Targeted Payloads:** Capable of delivering diverse final stage payloads, ranging from credential harvesters to cryptocurrency drainers.
## Indicators of Compromise
*Note: Specific hashes and C2 domains were not fully detailed in the summary text, but behavioral patterns are noted.*
- **File Names:** Likely masquerades as legitimate iOS system processes or web service components.
- **Network Indicators:** Links to infrastructure previously associated with "Operation Triangulation" (e.g., [.]com, [.]net - *defanged*).
- **Behavioral Indicators:**
- Unusual outbound traffic from system processes to unknown IPs.
- High resource usage by the mobile browser (Safari/WebKit) while idling on specific pages.
- Evidence of kernel-level hooking or unauthorized sandbox escapes.
## Associated Threat Actors
- **"Customer of a Surveillance Company":** Original source (suspected US-based contractor).
- **Suspected Russian Intelligence (APT):** Used in espionage campaigns targeting Ukrainian infrastructure.
- **Financially Motivated Criminals:** Used to target Chinese-speaking users for cryptocurrency theft.
## Detection Methods
- **Behavioral Detection:** Monitoring for unauthorized privilege escalation requests or unusual calls to the iOS kernel.
- **Heuristic Analysis:** Identifying the use of known exploit primitives within WebKit/Safari memory space.
- **Network Monitoring:** Flagging devices communicating with known command-and-control (C2) nodes previously linked to high-end surveillance kits.
## Mitigation Strategies
- **Rapid Patching:** Immediately update iOS to the latest version to mitigate the 23 vulnerabilities leveraged by the toolkit.
- **Lockdown Mode:** Enable iOS "Lockdown Mode" for high-risk individuals to reduce the attack surface for web-based exploits.
- **Browser Security:** Use content blockers to prevent the loading of suspicious third-party scripts and visitor-tracking components.
## Related Tools/Techniques
- **Operation Triangulation:** Shares code modules and exploitation styles.
- **EternalBlue (Mobile Equivalent):** Cited by researchers as a "watershed" leaked tool of similar significance.
- **Pegasus / Predator:** Similar high-end mobile surveillance frameworks.