Google notes that Apple has fixed the vulnerabilities used by Corona in the latest versions of its mobile operating system, iOS 26, so its exploit techniques are only confirmed to work against iOS 13 to 17.2.1. It targets vulnerabilities in Apple’s WebKit framework for browsers, so Safari users on older versions of iOS would be vulnerable, but there are no confirmed technologies in the toolkit to target Chrome users. Google also notes that Coruna checks if iOS devices have Apple’s most stringent security setting, known as Lockdown Mode, enabled, and does not attempt to hack it if so.
Despite those limitations, iVerify says Corona has likely infected thousands of phones. The company consulted a partner that had access to network traffic and counted visits to command-and-control servers for the cybercriminal version of Corona that infected Chinese-language websites. iVerify says the volume of those connections suggests that nearly 42,000 devices have already been hacked with the toolkit in the for-profit campaign alone.
How many other victims Koruna may have affected, including Ukrainians who visited websites infected with code by the suspected Russian espionage operation, is unclear. Google declined to comment beyond its published report. Apple did not immediately comment on Google or iVerify’s findings.
A single, very professional writer
In iVerify’s analysis of the cybercriminal version of Coruna — it did not have access to any earlier versions — the company found that the code had been altered to plant malware on targeted devices designed to drain cryptocurrencies from crypto wallets, as well as steal photos and, in some cases, emails. However, according to Spencer Parker, chief product officer at iVerify, those additions were “poorly written” compared to the underlying Coruna toolkit, which he found impressively polished and modular.
“Oh my God, these things are very professionally written,” Parker says of the exploits included in Corunna, suggesting that the cruder malware was added by cybercriminals who later obtained that code.
As for the code module that suggests Coruna’s origins as a US government toolkit, iVerify’s Cole notes an alternative explanation: It’s possible that the overlap between Coruna’s code and the Operation Triangulation malware, which Russia pinned on US hackers, could have resulted from Triangulation’s components being lifted and reused after their discovery. But Cole argues that this is unlikely. He points out that many of Coruna’s components have never been seen before, and that the entire toolkit appears to have been created by a “single author”.
“This framework is very well put together,” says Cole, who previously worked at the NSA, but notes that he has been out of government for more than a decade and is not drawing any conclusions based on his prior knowledge of American hacking tools. “It feels like it was written as a whole. It doesn’t feel like it was cobbled together.”
If Coruna is indeed an American hacking toolkit, how it got into foreign and criminal hands remains a mystery. But Cole points to an industry of brokers who can pay millions of dollars for zero-day hacking techniques that they can resell for espionage, cybercrime or cyberwarfare. Notably, Peter Williams, an executive at US government contractor Trenchant, was sentenced to seven years in prison this month for selling hacking tools to Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memorandum said Trenchant sold hacking tools to the U.S. intelligence community, as well as others in the “Five Eyes” group of English-speaking governments – the U.S., Britain, Australia, Canada and New Zealand – though it is not clear what specific tools he sold or what tools he sold. He took aim.
“These zero-day and exploit brokers are dishonest,” says Cole. “They sell to the highest bidder and double down. Many don’t have exclusivity arrangements. That’s very likely what happened here.”
Cole concludes, “One of these tools ended up in the hands of a non-Western exploitation broker, and they sold it to anyone who was willing to pay.” “The genie is out of the bottle.”
<a href