A sophisticated iPhone exploit toolkit called "Coruna" is at the center of an escalating controversy after new research revealed that it most likely came from U.S. defense contractor L3Harris before falling into the hands of Chinese cybercriminals and Russian spies. The case demonstrates how government-grade iOS exploits can leak, be repurposed, and support financially motivated attacks against regular iPhone users as well as international espionage. Coruna: From Western spy tool to global threat Google’s Threat Intelligence Group recently disclosed a powerful iOS exploit kit dubbed Coruna that chains together 23 exploits across five attack chains to compromise iPhones running iOS 13 through 17.2.1 via watering‑hole attacks.

Attackers can launch payloads that can steal data, spy on victims, and even target cryptocurrency wallets by simply visiting a compromised website, which can cause remote code execution, sandbox escape, and kernel compromise on unpatched devices. Google claims that Coruna was initially used in "highly targeted" operations by an unidentified government client of a commercial surveillance vendor. Russian state hackers then reused it against specific Ukrainian users, and a Chinese cybercrime group that specialized in financial theft later abused it extensively.

This lifecycle demonstrates a distinct pattern: elite zero-day chains swiftly join a larger underground market of "second-hand" exploits after escaping their initial customer base.

According to TechCrunch, two former workers of L3Harris' hacking division, Trenchant, independently identified Coruna artifacts and internal naming, indicating that at least some of the toolkit was created internally and sold only to the US government and its Five Eyes allies. Separately, researchers at the mobile security company iVerify concluded that Coruna was probably developed by a U.S. government agency, but they did not reach a firm conclusion. The developing timeline coincides with a significant Trenchant insider theft case involving former general manager Peter Williams, who was recently sentenced in the United States for stealing and selling eight offensive tools to Russian exploit broker Operation Zero for approximately $1.3 million.

America.

Prosecutors emphasized that they targeted widely used platforms like iOS by claiming that these tools could have allowed access to "millions of computers and devices." Operation Zero, which has been sanctioned by the U.S. Treasury, allegedly collaborates with at least one unauthorized buyer and Russian government clients, giving Coruna-linked exploits several ways to get to Russian espionage organizations and subsequent cybercriminals. Relationships to Operation Triangulation: A portion of Coruna's codebase is overlapped with exploits codenamed Photon and Gallium, which were previously used as zero-days in Operation Triangulation, a sophisticated campaign that targeted iPhones, including those used inside Russia, and was revealed by Kaspersky in 2023.

According to Google and iVerify, Coruna incorporates reusable modules for these vulnerabilities, and some experts think that the exploit frameworks underlying Triangulation and Coruna have similar engineering patterns and modules, like Plasma, Photon, and Gallium.