JAKARTA - A sophisticated hacking toolkit called Coruna is reportedly spreading on the black market and is now being used by bad actors to exploit unpatched iPhones. This finding sparked speculation that the tool was originally developed for the benefit of the United States government before it got out of control.
The report from Wired cites data from Google's Threat Intelligence Group as well as mobile security firm iVerify. Google mapped out how Coruna spread, while iVerify traced its origins.
Coruna is said to be an exploit toolkit that combines five different hacking techniques by exploiting 23 vulnerabilities in old versions of iOS. Devices running iOS 13 to iOS 17.2.1 - released between September 2019 to December 2023 - can potentially be exposed just by visiting a malicious web page. This attack focuses on a hole in WebKit, the browser engine that is the backbone of Safari.
According to the report, if the device supports iOS 26, users are strongly advised to immediately update the system. Apple is claimed to have patched the holes that Coruna exploited and specifically made the toolkit no longer effective on the latest version. As of February 12, about 74 percent of compatible iPhones have been updated to iOS 26.
Coruna is also reportedly able to detect the Lockdown Mode feature - an extra tight security mode intended for high-risk users such as government officials or journalists. If the mode is active, the toolkit will not continue the attack. However, for general users, the system update is considered sufficient without having to activate the mode.
The origins of Coruna are in the spotlight. One of iVerify's founders, Rocky Cole, stated that this toolkit is very sophisticated, expensive to develop, and has characteristics similar to modules previously attributed to the US government. He called this the first example of a tool that the US government is very likely to develop, then "lose control" and be used by both enemies and cybercriminal groups.
iVerify estimates that around 42,000 devices may have been hacked using one of the Coruna variants in the Mandarin-speaking campaign. In addition, Russian espionage operations are also said to use this toolkit to target a number of Ukrainian citizens.
The distribution scheme is suspected to follow the classic pattern of the digital black market: the tool is developed with large funds, leaked through an unclear chain of events, and then sold for millions of dollars. Early buyers likely tried to recoup their costs by reselling modified versions, which then circulated widely among cybercriminals.
There is also speculation that Coruna may have been assembled from components of Operation Triangulation, a campaign previously claimed by Russia to be part of a US hacking operation. However, iVerify considers Coruna to be too solid and integrated to be just a result of sticking together different modules.
This case has reopened a long-standing debate about the risks of developing "hacking tools for good purposes." History shows that backdoors or exploits designed for law enforcement purposes can backfire when leaked. Incidents such as EternalBlue in 2017 serve as a reminder that security holes know no morality; once out of control, anyone can exploit them.
For users, the practical message is simple: system updates are not just cosmetics or new features, but a real layer of defense. In the modern cyber landscape, a delay in updating can be a costly gap. In a world where millions of dollars' worth of tools can end up in underground forums, the best security is still the device that is always updated.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
