A powerful set of hacking tools once associated with government use is now being deployed by cybercriminals to target iPhones running older software. Security researchers have identified the exploit suite, known as Coruna, as capable of compromising devices through sophisticated methods that were originally developed for surveillance purposes.
On Tuesday, Google revealed that it first detected the Coruna exploit kit in 02/2025 during an attempt by a surveillance vendor to hack a phone with spyware on behalf of a government client. Months later, the same toolkit was found targeting Ukrainian users in a large-scale campaign linked to a Russian espionage group. It was later discovered being used by a financially motivated hacker in China. Researchers warned about a growing market for “secondhand” exploits, where previously government-linked hacking tools are resold to profit-driven attackers.
Mobile security firm iVerify obtained and reverse-engineered the tools. In a blog post, the company said it linked Coruna to the U.S. government due to similarities with previously attributed frameworks. “The more widespread the use, the more certain a leak will occur,” iVerify stated. “While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.” The exploit kit can bypass iPhone defenses simply by tricking users into visiting a malicious website, a method known as a “watering hole” attack. According to Google, Coruna chains together 23 vulnerabilities and can compromise devices running iOS 13 through 17.2.1, released in 12/2023.
A technology publication reported that Coruna includes components previously seen in Operation Triangulation, a campaign that Russian cybersecurity firm Kaspersky claimed in 2023 was used in attempts to hack iPhones of its employees. Although leaks of government hacking tools are rare, they have occurred before. In 2017, the National Security Agency discovered that its Windows exploit EternalBlue had been stolen and later used in major cyberattacks, including the 2017 WannaCry ransomware attack linked to North Korea. In a separate case, Peter Williams, former head of defense contractor L3Harris Trenchant, was sentenced to more than 7 years in prison for selling 8 exploits capable of hacking “millions of computers and devices” worldwide. Prosecutors said at least 1 exploit was sold to a South Korean broker, though it remains unclear whether the vulnerabilities were ever patched.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
