What happened, in plain terms that still stay precise
Coruna is not a single iOS bug and it’s not just another “spyware rumor.” What Google’s Threat Intelligence Group actually published is the anatomy of a full exploit kit: five complete exploit chains, 23 exploits total, and an operational framework built to reliably compromise a wide range of iPhone models running iOS 13.0 through iOS 17.2.1. (جوجل كلاود)
The story becomes more alarming because the kit did not stay inside one actor’s pipeline. Google tracks Coruna across 2025 from a commercial surveillance context, to watering hole attacks targeting Ukrainian users, and later to broad-scale campaigns run by a financially motivated actor operating from China. The key sentence is not “who built it,” but “how widely it traveled,” because once a chain like this is in circulation, every future iOS bug becomes a potential “drop-in replacement” component for the next version of the kit. (جوجل كلاود)
iVerify’s parallel reporting matters for a different reason. They frame this as the first observed mass exploitation of mobile phones by a criminal group using tools likely built by a nation-state, and they say they reverse engineered a sample they called CryptoWaters that uses the Coruna framework and leaves actionable indicators of compromise. (iverify.io)
So the headline you want to write—“government-grade iPhone hacking tools are in criminal hands”—can be accurate only if you keep the verbs disciplined: researchers say the kit looks like nation-state-grade engineering, that it appears to have moved through surveillance and espionage contexts, and that it is now used by criminals for financial theft. The origin is suggested, not proven, and the proliferation is the confirmed part. (TechCrunch)
The timeline, because the order explains the risk
February 2025, fragments in a surveillance customer operation
Google says it captured parts of an iOS exploit chain used by a “customer of a surveillance company” and that the chain was integrated into a previously unseen JavaScript framework. That tells you Coruna started life as more than a pile of PoCs; it was already an integrated delivery system. (جوجل كلاود)
Mid 2025, watering hole deployment against Ukrainian users
Google then observed Coruna deployed in watering hole attacks targeting Ukrainian users by UNC6353, which they assess as a suspected Russian espionage group. This stage matters operationally: the delivery model is “you browse, you lose,” which is exactly the kind of distribution that scales. (جوجل كلاود)
Late 2025, broad-scale financial campaigns
Google says it later retrieved the complete exploit kit when it was used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China. Wired describes this as the moment the kit’s path becomes truly disturbing: from spies to cybercrime, with a plausible broker-mediated handoff in between. (جوجل كلاود)
March 3, 2026, coordinated disclosure and the “EternalBlue moment” framing
Multiple outlets quote iVerify’s “EternalBlue moment” comparison, drawing a line from the 2017 leak of an NSA-developed Windows exploit to the possibility that a comparable leak dynamic is now happening in mobile exploitation. The analogy is not perfect, but the warning is clear: once top-tier offensive tooling enters uncontrolled circulation, the downstream damage is driven by adoption, not by the original author’s intent. (TechCrunch)
How Coruna compromises an iPhone, the high level chain logic
To understand why Coruna feels like “it just works,” you need to see what the kit is actually chaining.
- Initial code execution in the browser context via WebKit web content processing flaws.
- Privilege lift and containment breakouts that escape WebContent sandboxing and reach more privileged execution contexts.
- Kernel-level control primitives through local privilege escalation and mitigation bypasses, including PPL bypass components.
- Stager and implant loading inside system daemons to establish communication and run targeted theft modules.
That pattern is not new in iOS exploitation, but Coruna’s value is that it packages multiple versions of each step so it can cover a wide OS spread. Google calls out that the kit includes non-public exploitation techniques and mitigation bypasses, plus extensive documentation in native English—this is “productized exploitation,” not opportunistic hacking. (جوجل كلاود)
Two defensive details in Google’s write-up are particularly operationally useful:
- Coruna bails out if it detects the device is in وضع الإغلاق or the user is in Private Browsing.
- It uses a hard-coded cookie to generate resource URLs, with resources referred to by a hash derived from
sha256(COOKIE + ID)[:40].
That “bail out” behavior is a rare gift to defenders because it gives you a concrete mitigation lever that doesn’t depend on Apple patch timelines, and it explains why some users may have been “missed” even on vulnerable builds. (جوجل كلاود)
What people keep calling this incident, and why those words matter technically
You’ll see the same phrases across the best reporting and the primary research. They are not just narrative labels; each maps to a real control point.
| Phrase you’ll see everywhere | What it really means for defenders | Where it’s grounded |
|---|---|---|
| “Exploit kit” | Not one bug: reusable framework + multiple chains + delivery + staging | Google describes five chains and 23 exploits (جوجل كلاود) |
| “Watering hole” | Legit sites compromised to silently attack visitors | Google and iVerify both describe waterhole deployment (جوجل كلاود) |
| “First known mass iOS attack” | Criminal-scale exploitation, not limited to a handful of VIP targets | iVerify press release framing (iverify.io) |
| “EternalBlue moment” | High-end tooling leaking into wider abuse ecosystem | Wired, CyberScoop, TechCrunch (WIRED) |
| “Lockdown Mode” | Attack surface reduction that Coruna explicitly checks for | Google kit behavior, Apple guidance (جوجل كلاود) |
| “Operation Triangulation” | Prior iOS campaign with overlap in techniques/components | Google connects Photon and Gallium, Kaspersky reports Triangulation (جوجل كلاود) |
If you only remember one sentence from this table, make it this: the same terms that drive headlines are also the best pivots for building a response checklist. You can turn them into requirements: “Are we exposed to watering hole delivery,” “Do we have a Lockdown Mode policy for high-risk staff,” and “Can we inspect iOS backups for known IOC footprints.”
The CVEs, the exploit components, and the patch floors that actually matter
Coruna spans years of iOS vulnerability history. The point is not that Apple failed to patch; the point is that attackers can keep old chains alive as long as real-world devices stay unpatched.
Google published a mapping table of exploit “code names,” their type, targeted versions, and the fixed versions where known. Some entries have no CVE association, and Google notes the associations may be revised as analysis continues. (جوجل كلاود)
Below is a defender-oriented condensation of the most decision-relevant CVEs that appear in Google’s mapping and that have solid vendor records in Apple/NVD. The goal is not to reverse engineer exploits; it’s to know which patch floors remove entire classes of exploitation.
WebKit remote code execution class, the browser foothold
CVE-2024-23222
Apple and NVD describe it as a WebKit issue where processing maliciously crafted web content may lead to arbitrary code execution, fixed in iOS 17.3 and related releases, with Apple aware it may have been exploited. (دعم Apple)
CVE-2022-48503
Apple’s security content for iOS 15.6 states processing web content may lead to arbitrary code execution, and CISA later added this CVE to the Known Exploited Vulnerabilities catalog in October 2025. (دعم Apple)
CVE-2023-43000
NVD and Apple document it as a WebKit use-after-free leading to memory corruption, fixed in iOS 16.6 and Safari 16.6, with Apple’s entry added later. (NVD)
Sandbox escape and kernel leverage, turning browser code exec into device control
CVE-2023-32409
NVD states a remote attacker may be able to break out of the Web Content sandbox and notes Apple was aware of active exploitation; it’s fixed in iOS 16.5 and iOS 15.7.8 among others. (NVD)
CVE-2024-23225 and CVE-2024-23296
Both are tied to bypassing kernel memory protections once an attacker already has powerful primitives; Apple/NVD note exploitation awareness language for these families and list fixed versions (iOS 17.4 for these kernel-protection bypass items in the public records). (NVD)
Why these categories chain so well on iOS
iOS has strong defense-in-depth: sandboxing (especially for WebContent), pointer authentication codes, kernel hardening, and layered memory protections. Coruna’s design is to assemble a “least fragile” path through that maze for each OS generation: if one WebKit bug stops working, another might; if one kernel bypass is patched, an older chain might still hit older phones; and if a target has a newer A-series chip, the kit chooses a chain that matches that environment. Google explicitly says Coruna includes a binary loader that chooses appropriate chains post-RCE and that payload blobs carry metadata about supported chips and versions. (جوجل كلاود)
That’s why patch floors matter more than CVE obsession. Your practical question is: what’s the oldest iOS build in your fleetو does the attacker still have a chain that covers it?
The payload, why this looks like theft tooling not classic spyware
Google’s most important technical observation about Coruna is at the end of the chain. The stager binary PlasmaLoader, tracked as PLASMAGRID, injects itself into powerd running as root, and the resulting payload is oriented toward stealing financial information rather than the “usual capabilities” expected from a surveillance vendor. (جوجل كلاود)
Google describes several theft behaviors that are unusually concrete for public reporting:
- decoding QR codes from images on disk
- analyzing text blobs for BIP39 word sequences
- searching for keywords like “backup phrase” or “bank account”
- exfiltrating relevant text if found in Apple Notes
This is the precise bridge from “device compromise” to “money loss.” A compromised iPhone is not automatically a cash machine, but if a victim stores seed phrases in Notes or screenshots, or uses multiple mobile wallet apps, the attacker can turn a one-time browser exploit into recurring theft value. (جوجل كلاود)
Google also lists a set of targeted wallet apps via bundle identifiers, including MetaMask and several others, which strongly supports the “crypto theft modules” framing. (جوجل كلاود)
iVerify’s deeper technical write-up describes a multi-stage implant flow across processes, including fetching configuration from one domain and then using another for command-and-control, with later modules being loaded depending on installed apps. (iverify.io)
The implication for responders is uncomfortable but actionable: if you are investigating a suspected Coruna-style infection, you must treat wallet seed handling as part of incident response. The remediation is not just “update iOS.” It’s also “assume any seed phrase or private key stored on-device may be compromised” and act accordingly.
Is this really “a leaked US government framework” and how to talk about it without overclaiming
This is the part that gets clicks—and also the part that falls apart fastest if you get sloppy.
What iVerify says in its press release is that GTIG refers to UNC6691 using a sophisticated exploit chain developed by a spyware vendor, and that iVerify assesses the framework has similarities to previous frameworks developed by threat actors affiliated with the US government. They also say the same framework was observed by Russian threat actors targeting Ukrainians. (iverify.io)
TechCrunch summarizes that iVerify linked the Coruna exploit kit to the U.S. government based on similarities to previously attributed tools, while also emphasizing the broader point: regardless of origin, these tools will end up “in the wild.” (TechCrunch)
Wired is careful but pointed: it highlights clues like English-language coding and overlap with components seen in Operation Triangulation, while still calling the origin “possible” and noting the US government didn’t respond to attribution claims. (WIRED)
CyberScoop and Nextgov reinforce the same framing: plausible linkage, not certainty, and the core risk is the proliferation market for “second hand” zero-days. (CyberScoop)
If you want a defensible headline and you want it to survive criticism, write it this way:
Confirmed: a nation-state-grade iPhone exploit kit proliferated across actors and is now used in criminal campaigns. (جوجل كلاود)
Plausible but not proven: parts of the framework resemble tools previously attributed to US-affiliated operators. (iverify.io)
Unknown: exactly how the tool moved hands. (جوجل كلاود)
That is enough to justify urgency without turning your article into speculation.
Who is actually vulnerable, and why “old iOS” is the real attack surface
Google’s coverage range is explicit: iOS 13.0 through iOS 17.2.1, which spans devices and releases from 2019 through late 2023. (جوجل كلاود)
They also state Coruna is not effective against the latest iOS and urge users to update; if an update is not possible, enable Lockdown Mode. (جوجل كلاود)
Wired adds an important nuance: Google noted the kit targets vulnerabilities in WebKit for browsers, so Safari users on those older versions are vulnerable, and Coruna checks for Lockdown Mode and won’t attempt exploitation if it’s enabled. (WIRED)
This leads to the most useful risk segmentation you can give readers:
- Out-of-date iPhones are the target class. If you still have iOS 15.x or 16.x on a phone that could update, you’re choosing to stay inside the blast radius.
- People who can’t update are structurally exposed. Older devices that cannot run newer iOS versions are exactly what “long-lived exploit kits” are built to harvest.
- Crypto users are a multiplier. Not because crypto is special, but because many users store high-value secrets locally, and Coruna’s payload is tuned to find them. (جوجل كلاود)
- Travel and geopolitical exposure increases the odds. Watering hole delivery often clusters around specific populations and web destinations. (جوجل كلاود)
- Enterprises without mobile telemetry will miss this. iOS is hard to inspect “from the inside,” which is exactly why forensic approaches rely on backups, sysdiagnose, and specialized tooling. (Securelist)
What to do right now, a prioritized checklist that maps to the actual mechanics
1 Update iOS, because Coruna’s compatibility window is the whole problem
This is the least glamorous recommendation and the most effective one. Google’s own conclusion is that Coruna is not effective against the latest iOS, and the kit’s known coverage stops at iOS 17.2.1. (جوجل كلاود)
2 Turn on Lockdown Mode for high risk users and roles
Lockdown Mode is not just “extra security.” It’s a mode that Coruna explicitly checks for and avoids, and Apple describes it as an extreme optional protection for rare, sophisticated attacks. (جوجل كلاود)
Apple’s official step path is straightforward: Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode. (دعم Apple)
3 Use Private Browsing as a stopgap when you cannot enable Lockdown Mode
Google states Coruna bails out if the user is in private browsing. This is not a perfect defense and it is not a substitute for patching, but it can reduce exposure in constrained scenarios. (جوجل كلاود)
4 Assume secrets stored on-device are compromised if you have any infection signal
Because the payload is tuned to find BIP39 sequences and wallet app modules, if you have any credible indicator of infection you should treat seed phrases, screenshots of QR codes, Notes entries, and potentially wallet session tokens as burned. (جوجل كلاود)
5 Treat this as a web security issue too, not only a device security issue
Coruna’s delivery model includes malicious web content and watering hole style attacks. That means your organization’s websites and third-party analytics dependencies can become the attack surface that compromises your own users. (جوجل كلاود)
Detection, what you can actually verify without magical iOS root access
iVerify’s IOC driven approach and public checking
iVerify says it reverse engineered CryptoWaters, built IOCs, and deployed them in its Enterprise product and also into its Basic app made free for a limited period to help the public check for infection. (iverify.io)
Sysdiagnose and process behavior indicators
iVerify publishes process-based IOCs like thread names and dispatch queues (for example strings starting with plasma_ inside processes like powerd و locationd) and indicates where they show up in sysdiagnose artifacts like stacks.ips. (iverify.io)
Backup forensics, why MVT remains relevant
Kaspersky’s Operation Triangulation write-up explains a foundational constraint: it is “impossible to inspect modern iOS devices from the inside,” so investigators create offline backups and inspect them using Mobile Verification Toolkit. That same reality applies here: backups and derived timelines are the pragmatic place to hunt. (Securelist)
Even if you do not use MVT end-to-end, you can still query the key SQLite databases in a backup for the signals iVerify lists: Safari history artifacts, WebKit storage databases, and any recorded infection domain URLs. (iverify.io)
A practical IOC table you can hand to an incident responder
Below is a condensed version of the most actionable IOC categories described by iVerify and Google, framed as “what you can check” and “where.”
| IOC category | Example signal | Where to look | ما أهمية ذلك |
|---|---|---|---|
| Process and thread names | plasma_* thread names | sysdiagnose stacks and crash artifacts | Strong hint of implant execution inside system daemons (iverify.io) |
| File artifacts | /private/var/tmp/pl.core.lock and related temp files | filesystem traces, backup artifacts when present | Implant staging and runtime markers (iverify.io) |
| Network domains | .xyz C2 domains and named infra | network logs, DNS, secure web gateways | Coruna uses explicit C2 lists and DGA fallback patterns (جوجل كلاود) |
| Exploit infrastructure | exploit server domains in iVerify blog | Safari history and WebKit DBs in backups | Evidence of exposure to delivery URLs (iverify.io) |
| Behavioral checks | bails out on Lockdown Mode / Private Browsing | device config, browsing mode | A mitigation you can enforce and verify (جوجل كلاود) |
Code and queries, safe defensive examples you can publish without enabling abuse
1 SQL, quickly check an iPhone backup Safari history for suspicious domains
You’ll need to locate History.db in the extracted iPhone backup. Paths vary by backup format and extraction method, but the query shape is stable.
-- Safari History.db
-- Look for known suspicious host fragments or high-entropy .xyz domains
SELECT
datetime(history_visits.visit_time + 978307200, 'unixepoch') AS visit_datetime_utc,
history_items.url,
history_items.domain_expansion
FROM history_items
JOIN history_visits ON history_items.id = history_visits.history_item
WHERE
history_items.url LIKE '%.xyz/%'
OR history_items.url LIKE '%/group.html%'
OR history_items.url LIKE '%/details/%'
ORDER BY history_visits.visit_time DESC
LIMIT 200;
This does not “prove compromise,” but it can rapidly prove exposure to delivery infrastructure when paired with iVerify’s observed domains list. (iverify.io)
2 Python, scan an extracted iTunes style backup for IOC strings and domains
This is deliberately conservative: it looks for obvious IOC strings in plaintext files and for suspicious domain patterns in extracted databases or logs you can export to text.
import os
import re
from pathlib import Path
IOC_STRINGS = [
# iVerify / Google themes
"com.plasma.", "plasma_", "PLASMAGRID", "PlasmaLoader",
# Common Coruna URL patterns called out in reports
"/group.html", "/details/show.html", "/details/new.js",
]
DOMAIN_PAT = re.compile(r"\\b[a-z0-9]{10,20}\\.xyz\\b", re.IGNORECASE)
def scan_path(root: Path, max_bytes: int = 8_000_000):
hits = []
for p in root.rglob("*"):
if not p.is_file():
continue
try:
if p.stat().st_size > max_bytes:
continue
data = p.read_bytes()
except Exception:
continue
# Cheap binary to text view
try:
text = data.decode("utf-8", errors="ignore")
except Exception:
continue
for s in IOC_STRINGS:
if s in text:
hits.append((str(p), f"string:{s}"))
for m in DOMAIN_PAT.findall(text):
hits.append((str(p), f"domain:{m.lower()}"))
return hits
if __name__ == "__main__":
root = Path(os.environ.get("BACKUP_DIR", ".")).resolve()
results = scan_path(root)
for path, hit in results[:500]:
print(f"{hit}\\t{path}")
print(f"\\nTotal hits: {len(results)}")
Pair this with a controlled, curated domain list from Google’s published C2 list if you want high confidence matching. (جوجل كلاود)
3 Network detection idea, why .xyz is not enough and what to log instead
Google notes Coruna’s implant uses a hard-coded C2 list and a fallback mechanism that includes a domain generation algorithm seeded with the string “lazarus,” generating predictable 15-character .xyz domains and checking activity via Google’s public DNS resolver. (جوجل كلاود)
That means “block .xyz” is not the lesson. The lesson is: log and alert on unexpected system processes making outbound HTTPs requests, and on DNS patterns that match high-entropy short labels clustered in time.
If you have enterprise DNS logs, you can build detections like:
- device resolves multiple 15-char
.xyzdomains within minutes - same device then makes outbound HTTPS POSTs to one of them
- user agent anomalies like system processes (
powerd,imagent) presenting nonstandard UA strings, which iVerify notes as suspicious (iverify.io)
A disciplined incident response playbook for Coruna style compromise
Step 1 Confirm exposure vs compromise
Exposure means the device visited or loaded the delivery URL. Compromise means you see process IOCs, file artifacts, or network C2 communication patterns.
Because iOS is hard to introspect, you’ll often proceed with “credible suspicion” rather than courtroom-grade certainty. That is normal in mobile IR. (Securelist)
Step 2 Contain the money path first
If the user has mobile wallets:
- move funds to new wallets using a clean device
- rotate keys and revoke sessions where possible
- treat any seed phrase that lived in Notes, screenshots, or files on the phone as compromised, because the payload explicitly hunts for BIP39 patterns and “backup phrase” keywords (جوجل كلاود)
Step 3 Contain the account path
Even if the campaign focus is crypto theft, a compromised phone can become an identity pivot. Reset Apple ID credentials, ensure 2FA is intact, and review device trust lists. This is standard hygiene, and it limits secondary fallout.
Step 4 Preserve artifacts before you wipe
Collect sysdiagnose and an encrypted backup if policy allows. Once you wipe and restore, you will lose much of the evidence needed to understand scope and entry point. (iverify.io)
Step 5 Eradicate and verify
Update iOS to a non-vulnerable version, re-enable Lockdown Mode for the right users, and then verify via policy compliance that devices stay above patch floors.
Coruna’s most scalable delivery pattern is web-based: malicious websites, watering holes, and injected components that “just happen” to get served to visitors. That means the defender’s job is not only device patching; it’s also ensuring your own web properties cannot be repurposed into someone else’s exploit distribution layer. Google explicitly describes Coruna’s delivery through malicious web content and watering hole style operations, and iVerify’s analysis starts from discovering a suspicious domain hosting exploits. (جوجل كلاود)
This is where an AI-driven pentest platform can contribute without pretending to “scan iPhones.” With Penligent, teams can continuously test their public web assets for the classes of failures that enable watering holes: outdated CMS plugins, script injection points, insecure third-party analytics loading, and hidden redirects that route users to attacker-controlled infrastructure. When incidents like Coruna break, speed matters: you want fast asset discovery, fast reproduction in a safe lab, and a report that maps exactly what to fix and how to verify the fix is real. (بنليجنت)
A second natural fit is evidence-driven verification. When the world learns that “just visiting a site can compromise an iPhone,” executives ask whether your organization’s pages could be used the same way. Penligent is designed around turning natural-language security questions into precise, tool-backed checks across a real environment, so teams can answer quickly: “Are any of our pages serving unexpected scripts,” “Do we have third-party includes that changed recently,” “Can we prove integrity of the content pipeline,” and “Which domains do our pages call out to at runtime.” (بنليجنت)
The bigger lesson, exploit markets do not respect your threat model
Google frames Coruna as another example of sophisticated capabilities proliferating and points to an active market for “second hand” zero-day exploits. iVerify emphasizes that once spyware capabilities are sold, control over end customers is lost and the market is highly unregulated. (جوجل كلاود)
The uncomfortable reality is that modern mobile exploitation is now following the same arc we watched on desktop a decade ago: a small set of elite actors fund development, brokers move capabilities, and criminals industrialize the last mile. The result is not that every iPhone is doomed; the result is that patch lag becomes a monetizable asset.
If you want a single sentence to end the article on, make it this: Coruna is what happens when “old iOS” becomes an economic opportunity. (جوجل كلاود)
Further reading
Google Threat Intelligence Group, Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
iVerify press release, iVerify Details First Known Mass iOS Attack https://iverify.io/press-releases/first-known-mass-ios-attack
iVerify technical blog, Coruna: Inside the Nation-State-Grade iOS Exploit Kit We’ve Been Tracking https://iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking
TechCrunch coverage, A suite of government hacking tools targeting iPhones is now being used by cybercriminals https://techcrunch.com/2026/03/03/a-suite-of-government-hacking-tools-targeting-iphones-is-now-being-used-by-cybercriminals/
WIRED coverage, A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals https://www.wired.com/story/coruna-iphone-hacking-toolkit-us-government/
Apple Support, About Lockdown Mode https://support.apple.com/en-us/105120
Apple User Guide, Turn on Lockdown Mode on iPhone https://support.apple.com/guide/iphone/use-lockdown-mode-iph845f6f40c/ios
Apple security content, iOS 17.3 and iPadOS 17.3, includes CVE-2024-23222 https://support.apple.com/en-us/120304
Apple security content, iOS 17.4 and iPadOS 17.4, includes CVE-2024-23225 and other items https://support.apple.com/en-us/120893
Apple security content, iOS 15.6 and iPadOS 15.6, includes CVE-2022-48503 https://support.apple.com/en-us/102892
NVD, CVE-2024-23222 https://nvd.nist.gov/vuln/detail/CVE-2024-23222
NVD, CVE-2022-48503, includes CISA KEV metadata https://nvd.nist.gov/vuln/detail/CVE-2022-48503
CISA alert, CVE-2022-48503 added to KEV Catalog https://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
Kaspersky Securelist, Operation Triangulation https://securelist.com/operation-triangulation/109842/
Penligent related articles
CVE-2025-24085 iOS 0-Day Explained: Public PoC and the Role of AI Pentest Tools https://www.penligent.ai/hackinglabs/cve-2025-24085-an-ios-0-day-public-poc-and-the-role-of-ai-pentest-tools/
Safari passwords, Deep Technical Guide for Security Engineers https://www.penligent.ai/hackinglabs/safari-passwords-deep-technical-guide-for-security-engineers/
OpenClaw + VirusTotal: The Skill Marketplace Just Became a Supply-Chain Boundary https://www.penligent.ai/hackinglabs/openclaw-virustotal-the-skill-marketplace-just-became-a-supply-chain-boundary/
Penligent overview, Natural-Language Orchestration for AI Automated Penetration Testing https://www.penligent.ai/hackinglabs/penligent-ai-natural-language-orchestration-for-ai-automated-penetration-testing/
Arabic 
English 
German 
French 
Spanish 
Portuguese 
Japanese 
Korean 
Hindi 
Turkish 
Hebrew