Full Report
Wired writes (alternate source): Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers...
Analysis Summary
# Tool/Technique: Coruna
## Overview
Coruna is a highly sophisticated, multi-stage iPhone hacking toolkit and exploit framework. Discovered by Google researchers, it is designed to facilitate "waterhole" attacks, where an iOS device is compromised silently upon visiting a malicious or compromised website. The toolkit is notable for its use of 23 distinct vulnerabilities and its professional-grade software development structure.
## Technical Details
- **Type:** Exploit Framework / iPhone Hacking Toolkit
- **Platform:** iOS
- **Capabilities:** Silent remote exploitation, security defense bypass, remote malware installation, and long-term persistence.
- **First Seen:** Publicly reported March/April 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise]: Delivery via exploitation code hosted on websites.
- **[TA0002 - Execution]**
- [T1203 - Exploitation for Client Execution]: Leveraging browser or OS vulnerabilities to run code.
- **[TA0004 - Privilege Escalation]**
- [T1068 - Exploitation for Privilege Escalation]: Utilizing kernel-level exploits to bypass iOS protections.
- **[TA0005 - Defense Evasion]**
- [T1620 - Reflective Code Loading]: Silent installation and execution in memory to bypass on-device defenses.
## Functionality
### Core Capabilities
- **Waterhole Delivery:** Capable of compromising devices silently without user interaction (0-click or 1-click) when the target visits a malicious URL.
- **Vulnerability Chaining:** Orchestrates five complete hacking "chains" utilizing 23 different iOS vulnerabilities to move from initial browser access to full kernel control.
- **Silent Deployment:** Bypasses all standard iPhone security measures (Sandboxing, PAC, etc.) to install a secondary implant.
### Advanced Features
- **Modular Architecture:** Reports suggest a modular design similar to professional enterprise software, allowing for individual vulnerability components to be swapped or updated.
- **High Orchestration:** Manages multiple exploit stages simultaneously to ensure reliability across different iOS versions.
## Indicators of Compromise
*Note: Specific hashes and domains were not detailed in the summary article; however, typical indicators for this class of tool include:*
- **File Hashes:** [Specific hashes not provided in the source report]
- **Network Indicators:** [C2 domains would typically be defanged as:] `hXXps[:]//[malicious-domain][.]com/coruna/payload`
- **Behavioral Indicators:**
- Unexpected crashes in the MobileSafari process.
- Presence of unauthorized files in `/private/var/tmp/` or system directories (on jailbroken or compromised states).
- Outbound connections to unknown IPs on non-standard ports immediately following web browsing.
## Associated Threat Actors
- **L3Harris/Trenchant:** Alleged original developers (US government contractor).
- **Russian Intelligence/State-Sponsored Groups:** Reported to have acquired and utilized the tool in active operations (e.g., in Ukraine).
## Detection Methods
- **Signature-based detection:** Detection of known exploit patterns within JavaScript delivered to browsers.
- **Behavioral detection:** Monitoring for unauthorized privilege escalation and kernel-level modifications that deviate from standard iOS behavior.
- **Memory Analysis:** Scanning for "Coruna" exploit remnants in the browser heap or system memory.
## Mitigation Strategies
- **Prevention measures:**
- Keep iOS devices updated to the latest available firmware to patch the 23 vulnerabilities leveraged.
- Use "Lockdown Mode" on iOS for high-risk individuals to reduce the attack surface of the browser.
- **Hardening recommendations:**
- Implementation of Mobile Device Management (MDM) to monitor for suspicious device configurations or unauthorized "sideloaded" profiles.
## Related Tools/Techniques
- **Pegasus (NSO Group):** Similar 0-click/1-click capabilities against iOS.
- **Predator (Cytrox):** Comparable professional-grade mercenary spyware.
- **LightSpy:** Multi-stage iOS surveillance framework.