A sophisticated new hacking toolkit, discovered by Google, puts iPhone owners and their cryptocurrency wallets at risk. Christened 'Coruna', this malware is capable of infecting Apple devices in a totally passive manner, simply by visiting a compromised website, and then siphoning off funds from some of the world's most popular crypto-wallet applications.
The threat, which emerged from analysis by Google's security teams, represents a dangerous leap forward in the cyber-attack landscape, combining the silence of a zero-click exploit with a direct financial target.
Invisible Attack : Just a Click to Be Infected
The most worrying feature of Coruna is its ability to operate without any interaction from the victim. Unlike classic phishing that requires clicking a malicious link or downloading an infected file, this toolkit exploits deep vulnerabilities in the iOS operating system.
A user with an outdated iPhone need only land on a fake or compromised website to trigger the infection. Once inside, the malware doesn't steal passwords, but goes straight to the source: the seed phrases needed to restore and control a crypto wallet.
Coruna silently scans messages, notes and other iPhone files for specific text strings such as 'backup phrase' or 'restore phrase', along with 12 or 24 words. Once the sequence is found, the attackers gain full control of the funds, bypassing any further authentication.
Who's in the Crosshairs: 18 Apps at Risk
The attack is not aimed at a single platform, but targets an entire constellation of decentralised finance apps (DeFi). According to Google's analysis, 18 crypto apps are in Coruna's sights, including industry giants such as MetaMask, Phantom, Exodus, Trust Wallet and Uniswap. Users of these platforms are thus exposed to a direct and immediate risk of cryptocurrency theft.
The Genesis of a Multiple Threat
The Coruna story is complex and reveals a growing black market for cyber exploits. Google has reconstructed the toolkit's path, recovering it from hundreds of fake websites, including a deceptive replica of the crypto-exchange platform WEEX.
The analysis revealed a worrying cross-use:
- In the summer of 2025, a suspected Russian espionage group used the same toolkit to target iPhone users in Ukraine, exploiting compromised local company websites.
- Subsequently, a criminal group based in China, motivated by financial ends, spread it on a large scale through scam sites, allowing Google to retrieve the full code and rename it Coruna.
This change of hands suggests the existence of a thriving secondary market for extremely powerful hacking tools.
How to protect yourself : The Solution's There
Despite the dangerousness of the attack, the defence is surprisingly simple and already available. The vulnerability exploited by Coruna affects iPhones running iOS 17.2.1 or earlier. Apple released the final patch for these exploits with the update to iOS 17.3, released in January 2024. Those who have not installed the updates for over a year and a half are potentially at risk.
In addition, Apple had already introduced an extreme security measure that proved fatal for the toolkit: the Lockdown Mode. If activated in the iPhone's settings, this function completely blocks the attack: once Coruna detects the presence of the mode, it immediately ceases execution.
A Dangerous Legacy: Recycled Exploits
Coruna's analysis finally revealed another worrying piece: two of the exploits behind the toolkit had already been used in a previous and famous iOS espionage campaign, Operation Triangulation, discovered by Kaspersky in 2023. This demonstrates how 'elite' level exploits, once developed, continue to circulate and be reused by different actors, moving from surveillance agencies to state groups and eventually to common financial crime.
