Security analysts have uncovered a powerful suite of iPhone hacking tools that appear to have slipped from the control of a government client and into the hands of cybercriminals, underscoring growing fears about the expanding trade in high-end digital exploits.
The toolkit, known as Coruna, was first identified in February 2025 by researchers at Google. At the time, the company detected the exploit framework during what it described as a spyware deployment attempt conducted by a surveillance vendor working on behalf of a government customer. What initially appeared to be a targeted intelligence operation soon evolved into something more concerning.
In the months that followed, Google observed the same exploit kit being used in a broader campaign aimed at Ukrainian users. That activity was linked to a Russian espionage group. Later still, researchers found Coruna in use by a financially motivated hacker based in China. The widening range of actors deploying the same advanced toolset has raised alarms within the cybersecurity community.
A Tool That Traveled Beyond Its Original Purpose
Coruna was initially designed to infiltrate iPhones quietly by exploiting multiple software weaknesses. Such tools are often built or acquired by governments for surveillance and intelligence-gathering operations. However, security experts now believe this particular framework has circulated well beyond its original, restricted environment.
Exactly how Coruna left government hands remains unknown. There has been no public explanation of whether it was leaked, stolen, resold, or otherwise redistributed. What is clear, according to Google’s researchers, is that an emerging secondary marketplace for “secondhand” exploits may be developing. In this shadow economy, sophisticated vulnerabilities that were once exclusive to state clients are resold to criminal actors seeking to extract additional financial value before the software flaws are fixed.
Mobile security company iVerify obtained samples of the Coruna framework and conducted a reverse-engineering analysis. In its findings, iVerify noted technical similarities between Coruna and tools that had previously been attributed to the U.S. government. While the firm stopped short of making a definitive claim about the toolkit’s origin, it concluded that there were indicators suggesting it may have once been part of a U.S. government-linked capability.
Regardless of its precise source, researchers emphasized a broader pattern: once sophisticated cyber tools are deployed—even in limited or classified settings—the risk of eventual exposure increases significantly.
How the Exploit Works
Coruna stands out because of its technical depth and flexibility. According to Google’s analysis, the exploit kit can compromise an iPhone simply by directing a victim to a malicious website. This method, often referred to as a “watering hole” attack, requires minimal interaction from the target. Clicking a deceptive link or visiting a compromised webpage may be enough to trigger the exploit chain.
The toolkit reportedly leverages 23 distinct vulnerabilities that can be combined in five different ways to achieve full device compromise. This modular structure allows attackers to adapt their approach depending on the device’s configuration and software version.
Devices running versions of Apple’s iOS from iOS 13 through iOS 17.2.1 were found to be vulnerable. That version of the operating system was released in December 2023, meaning millions of devices worldwide could have been at risk if users had not installed later security updates.
Possible Links to Operation Triangulation
Reporting by Wired indicated that components within the Coruna toolkit resemble parts of a previously identified hacking campaign known as Operation Triangulation. That campaign was publicly disclosed in 2023 by Kaspersky, which alleged that iPhones belonging to several of its employees had been targeted with advanced spyware.
At the time, Kaspersky claimed that the operation involved highly sophisticated exploitation techniques. While geopolitical tensions have complicated the narrative surrounding those allegations, researchers have pointed to overlapping technical signatures between the earlier campaign and Coruna’s codebase.
Reuse of exploit components across operations is not unusual in cyber operations. However, the transition from tightly controlled intelligence campaigns to criminal use represents a more troubling evolution. It illustrates how once-exclusive digital weapons can diffuse into broader and less predictable ecosystems.
A Familiar Pattern in Cybersecurity
The Coruna case echoes earlier incidents in which powerful government-developed exploits escaped into public circulation. One of the most well-known examples occurred in 2017, when tools developed by the National Security Agency were stolen and later published online. Among them was EternalBlue, a Windows backdoor that was subsequently weaponized in global cyberattacks.
EternalBlue played a central role in the WannaCry ransomware outbreak, which spread rapidly across multiple countries and disrupted hospitals, corporations, and public institutions. That episode demonstrated how quickly a leaked exploit can be repurposed for widespread criminal damage.
Security experts now see parallels between that earlier event and the Coruna discovery. If advanced mobile exploits circulate freely before being patched, they could enable similarly large-scale abuse.
Insider Threats and the Expanding Exploit Market
The commercialization of cyber vulnerabilities has also been highlighted by recent criminal cases. TechCrunch reported on the sentencing of Peter Williams, a former executive at defense contractor L3Harris Trenchant, who pleaded guilty to stealing and selling eight exploits. Prosecutors stated that the tools he trafficked were capable of compromising millions of computers and devices worldwide. At least one exploit was reportedly sold to a broker in South Korea.
Cases like this illustrate how lucrative the exploit trade has become. High-quality zero-day vulnerabilities can command substantial sums in underground markets or through intermediaries operating in legal gray areas. When these tools are resold multiple times, tracking their origin and ensuring responsible disclosure becomes increasingly difficult.
