The Google Threat Intelligence Team recently released a report disclosing spyware called Coruna. This spyware was originally supposed to be developed by a national hacker team, but it is unknown why it was leaked online and began to be used by various hackers.
The Coruna tool contains 5 complete iOS vulnerability exploitation chains, involving a total of 23 security vulnerabilities, the most complex of which uses non-public technologies and vulnerability mitigation bypass measures. The targeted iOS versions are iOS 13.0~iOS 17.2.1.

The Google Threat Intelligence Team first observed activity related to the Coruna exploit kit in February 2025. The attack was attributed to a customer of a commercial surveillance vendor (the customer placed the order and the vendor assisted in launching the attack).
At that time, researchers obtained the JavaScript delivery framework and an exploit for CVE-2024-23222, a WebKit vulnerability that allows attackers to execute remote code on iOS 17.2.1. Apple fixed the vulnerability in iOS 17.3.
Related vulnerabilities also involved a triangulation attack against Kaspersky, an extremely sophisticated attack in which iOS devices used by multiple Kaspersky Lab employees were implanted with malware and monitored.
Now that these vulnerabilities have been fixed, the Coruna tool can only launch attacks against iOS 17.2.1 and below. However, in reality, many users are unwilling to upgrade or iOS devices no longer support subsequent new versions and have not been able to upgrade.
So now some hacker groups with financial interests are beginning to use the Coruna tool to launch attacks. The purpose of these hackers is extremely single, mainly to steal the mnemonic phrases of cryptocurrency wallets in users’ photo albums, that is, they focus on stealing cryptocurrency.
The process is as follows:
Cast a wide net or launch attacks against users active in the cryptocurrency field. After the target user is infected with the Coruna malware, the malware will scan the user's photo album and identify whether there are photos with mnemonic phrases.
If there is a mnemonic word, the photo containing the mnemonic phrase will be uploaded directly to the C2 server. The hacker is not interested in other photos saved by the user. Therefore, if there is no mnemonic phrase, at least so far, no hackers have been found to steal user photos to initiate blackmail.
This has to talk about the security rules in the field of cryptocurrency:
In any case, you should not save a screenshot of the wallet mnemonic phrase to the photo album, nor should you take a photo of the handwritten mnemonic phrase and save it in the photo album. The best security practice for the mnemonic phrase is to handwrite the mnemonic phrase on paper and keep it at home (it is best to handwrite multiple copies).
Only by physically blocking access to the mnemonic phrase can security be ensured. Saving photos of the mnemonic phrase to a mobile phone or uploading it to a network disk is a very unreliable approach, and using an outdated iOS version will amplify the attack surface.