The bottom line: A suite of iPhone hacking tools called Coruna (containing 23 exploits across five attack chains) has leaked from what researchers believe was a US military contractor. Google and iVerify found it being used by Russian spies against Ukrainians and Chinese cybercriminals stealing cryptocurrency. At least 42,000 iPhones have been compromised. If you're running iOS 17.2.1 or older, update immediately.

What Is Coruna?

Coruna is a sophisticated iOS exploit framework, essentially a complete hacking toolkit for iPhones. Security researchers at Google's Threat Intelligence Group first spotted it in February 2025, when a surveillance vendor tried to use it against a target on behalf of a government customer [1].

The kit targets iOS versions 13 through 17.2.1. That's a lot of phones. While Apple's latest software isn't vulnerable, millions of people run older versions.

What makes Coruna dangerous isn't just the exploits. It's the whole package:

  • 23 separate exploits across five full attack chains
  • Works through websites: no user interaction needed beyond visiting a page
  • Four layers of obfuscation to avoid detection
  • Automatically avoids devices with Lockdown Mode enabled

The attackers don't need you to click anything. Visit a compromised website, and if your iPhone is running vulnerable software, they're in.

Who Built These Tools?

Mobile security firm iVerify traced Coruna to US government origins. Their evidence: the code quality was exceptional, and comments in the source code contained "insider jokes and insider remarks" consistent with US defense contractor culture [2].

Researchers point to L3Harris, specifically their Trenchant division, which develops offensive hacking tools for government clients. The exploit naming convention uses bird species like "Sparrow," "Cassowary," and "Terrorbird." Trenchant's famous exploit chain was called "Condor."

The connection gets darker. In February 2026, Peter Williams (former general manager at L3Harris) was sentenced for selling zero-day exploits to Operation Zero, a Russian broker. That may explain how US government tools ended up in Russian hands [3].

iVerify's Rocky Cole was blunt about it: "While iVerify has some evidence that this tool is a leaked U.S. government framework, that shouldn't overshadow the knowledge that these tools will find their way into the wild."

Who's Using It Now

The toolkit has spread. Google identified at least three distinct user groups:

  • July 2025: Russian espionage group UNC6353 deployed Coruna through compromised Ukrainian websites. The targets: people in a war zone, likely government officials and military personnel.
  • December 2025: Chinese threat actor UNC6691 set up fake finance websites to deliver the exploits. Their goal: stealing cryptocurrency from wallets like MetaMask, Exodus, and Bitget.
  • Unknown: The original surveillance vendor customer, whoever they are.

What started as a government surveillance tool is now being used for financial crime. The Chinese group had the complete toolkit: all 23 exploits, all five chains.

How the Attack Works

Coruna operates through six stages [4]:

  1. Fingerprinting: Hidden JavaScript on a compromised website profiles your device. It checks iOS version, browser type, and whether you're worth attacking.
  2. Initial exploit: A WebKit vulnerability (CVE-2024-23222) gives the attacker code execution in Safari.
  3. ASLR bypass: The attack defeats Apple's memory randomization defenses.
  4. Sandbox escape: The attacker breaks out of Safari's security container.
  5. PAC bypass: On Apple Silicon devices, it defeats pointer authentication, Apple's hardware security feature.
  6. Payload delivery: A module called PlasmaLoader runs, fetching additional malware from command servers.

The whole thing happens invisibly. No warnings, no prompts. Just a normal-looking website with a hidden iframe doing the dirty work.

Connection to Operation Triangulation

This isn't the first time these tools have surfaced. Google and iVerify linked Coruna to Operation Triangulation, a 2023 campaign that targeted Kaspersky employees and Russian government devices [5].

That operation was attributed to US intelligence. The exploits used in Triangulation included "Photon" and "Gallium", both found in the Coruna kit.

So the same tools allegedly used by American spies against Russian targets are now being used by Russian spies against Ukrainian targets. And Chinese criminals stealing crypto. The exploit supply chain has come full circle.

How Bad Is It?

iVerify confirmed at least 42,000 compromised iPhones, and they expect that number to grow. Spencer Parker from iVerify called it "massive" for iOS platforms [6].

This is unusual. Most iOS attacks are highly targeted: specific journalists, activists, politicians. Coruna is being used for mass exploitation. The Chinese cryptocurrency theft campaign hit anyone who visited the fake finance sites.

The affected iOS versions:

  • iOS 13.x: Neutron/Dynamo chains
  • iOS 14.x - 15.x: Buffout, Jacurutu, Photon, Gallium chains
  • iOS 16.x: IronLoader, Parallax, Terrorbird, Cassowary chains
  • iOS 17.0 - 17.2.1: Sparrow/Rocket chain

If you're running iOS 17.3 or later, you're not vulnerable to these specific exploits. But that doesn't mean you're safe, just that these particular tools won't work.

What You Should Do

  1. Update your iPhone now. Go to Settings → General → Software Update. If you're running anything older than iOS 17.3, you're a potential target.
  2. Enable Lockdown Mode if you're at elevated risk (journalist, activist, government worker). The Coruna kit specifically avoids devices with Lockdown Mode enabled.
  3. Be suspicious of unfamiliar websites, especially finance or crypto-related sites you haven't used before.
  4. Check your cryptocurrency wallets if you visited unknown finance sites recently. The Chinese campaign specifically targeted MetaMask, Exodus, Bitget, and Base wallets.

Lockdown Mode lives in Settings → Privacy & Security → Lockdown Mode. It restricts some features but blocks known attack vectors.

The Bigger Problem

Governments build hacking tools. Those tools leak. Criminals use them.

This keeps happening. The NSA's EternalBlue exploit leaked in 2017 and powered WannaCry ransomware. Now we have US iPhone exploits in the hands of Russian spies and Chinese criminals.

The surveillance industry creates weapons that escape containment. When a US military contractor builds a toolkit that can compromise any iPhone from iOS 13 to 17.2.1, and that toolkit ends up being sold through Russian brokers, the "national security" justification falls apart.

42,000 people, at minimum, are paying the price for someone else's offensive capabilities. The tools that were supposed to target adversaries are now targeting everyone.

References

  1. TechCrunch - A suite of government hacking tools targeting iPhones is now being used by cybercriminals
  2. CyberScoop - Possible U.S.-developed exploits linked to first known 'mass' iOS attack
  3. The Hacker News - Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains
  4. Nextgov - Potential US-built hacking tools obtained by foreign spies and cybercriminals
  5. TechCrunch - US military contractor likely built iPhone hacking tools used by Russian spies
  6. SC Media - Coruna exploit kit: Suspected government hacking tools surface in cybercriminal hands

Published: March 16, 2026