A set of powerful iPhone hacking tools, first observed in use by a government-linked surveillance vendor, has since been picked up by Russian state-sponsored spies and a financially motivated cybercriminal in China, according to research published Tuesday by Google.
Google identified the exploit kit, named Coruna, in February 2025 after spotting it during an attempt to install spyware on a target’s iPhone on behalf of a government customer. The same toolkit later appeared in a broad campaign against Ukrainian users attributed to a Russian espionage group, and then again in an operation run by a China-based hacker seeking financial gain. How the tools spread between these actors remains unknown.
What the Coruna Kit Can Do
The toolkit is formidable by any measure. It can compromise an iPhone through a “watering hole” attack, meaning a target only needs to visit a malicious website to have their device taken over. No clicks beyond that are required.
Coruna chains together 23 separate vulnerabilities to attack iPhones five distinct ways. Affected devices run iOS versions from iOS 13 through iOS 17.2.1, the release issued in December 2023. Any iPhone on older software within that range is potentially exposed.
Mobile security firm iVerify reverse-engineered the tools and linked Coruna to the U.S. government, citing similarities to hacking frameworks previously attributed to American intelligence operations. The company also connected components of the kit to Operation Triangulation, a 2023 campaign that Russian cybersecurity firm Kaspersky alleged was a U.S. government effort to hack iPhones belonging to its employees.
“The more widespread the use, the more certain a leak will occur,” iVerify wrote. “While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”
A Growing Market for Secondhand Exploits
Google researchers flagged what they described as an emerging market for “secondhand” exploits, tools originally built for government intelligence work that are later sold or leaked to criminal actors looking to extract further value from them.
The phenomenon is not new. In 2017, the U.S. National Security Agency lost a Windows hacking tool called EternalBlue after it was stolen and subsequently published. Cybercriminals later used it in the WannaCry ransomware attack, which North Korea orchestrated that same year.
A more recent case illustrates the same risk from the inside. Peter Williams, former head of U.S. defense contractor L3Harris Trenchant, was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to a broker with known ties to the Russian government. Prosecutors said the stolen tools could hack into “millions of computers and devices” worldwide, and at least one was sold to a South Korean broker. Whether the affected software makers were ever notified or issued patches is not publicly known.
The Coruna case reinforces a pattern that security researchers have warned about for years: offensive tools built by or for governments do not stay contained. Once created, they carry a half-life measured not in years, but in the time it takes for one sufficiently motivated actor to acquire them.
This article is a curated summary based on third-party sources. Source: Read the original article
