NextFin News - A sophisticated iPhone-hacking toolkit originally developed by a U.S. military contractor has surfaced in a mass surveillance and cybercrime campaign targeting users across Ukraine and China. The toolkit, internally dubbed "Coruna," represents a rare and alarming instance of high-grade Western cyber-weaponry leaking into the hands of both Russian state intelligence and Chinese financial criminals. According to a report released by Google’s Threat Intelligence Group, the exploit kit was first identified in early 2025 but has since proliferated through a secondary market for "second-hand" zero-day vulnerabilities, marking a shift from surgical, state-sponsored strikes to broad-scale digital predation.
The technical architecture of Coruna is formidable, comprising 23 distinct components that form five complete exploit chains. These tools were designed to compromise iPhones running versions of iOS ranging from 13.0 to 17.2.1, a window that covers devices released between 2019 and late 2023. While the toolkit was initially used in "highly targeted operations" by an unnamed government client, its trajectory took a dark turn. Russian espionage groups deployed the code on compromised Ukrainian websites to track specific geolocated users, while Chinese hackers later repurposed the same exploits for "broad-scale" campaigns aimed at draining cryptocurrency wallets and stealing financial data.
Evidence linking the toolkit to the U.S. defense sector centers on L3Harris, specifically its Trenchant division. Two former employees of the contractor confirmed to TechCrunch that Coruna was an internal project name for a suite of hacking tools developed for the U.S. government and its "Five Eyes" intelligence allies. The leak appears to be tied to the case of Peter Williams, a former Trenchant general manager who was sentenced to seven years in prison last month. Williams admitted to stealing and selling eight proprietary hacking tools to Operation Zero, a Russian zero-day broker, for $1.3 million. This breach effectively handed the keys to millions of Apple devices to a sanctioned Russian entity that maintains ties with both the Kremlin and ransomware syndicates like Trickbot.
The fallout from this leak extends beyond immediate security breaches, highlighting the inherent instability of the global surveillance-for-hire industry. When a contractor like L3Harris develops a "zero-click" exploit, they create a weapon that remains potent until the underlying vulnerability is patched. If that weapon is stolen or resold, the original developer loses control over who the target is. In this instance, tools meant for Western intelligence were turned against Ukrainian civilians and global financial systems. The reuse of specific exploits, such as those named "Photon" and "Gallium," also connects Coruna to "Operation Triangulation," a 2023 campaign that targeted Russian diplomats and was previously attributed by Moscow to the U.S. National Security Agency.
For Apple, the discovery of Coruna is a reminder of the persistent value of the iOS ecosystem to state actors and criminals alike. While the company has introduced "Lockdown Mode" to protect high-risk users, the mass deployment of these tools on public-facing websites suggests that the barrier to entry for sophisticated mobile hacking is falling. The transition of Coruna from a classified military asset to a tool for Chinese crypto-thieves illustrates a "trickle-down" effect in the exploit market, where yesterday’s state secrets become today’s criminal commodities. As the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds these vulnerabilities to its "Known Exploited Vulnerabilities" catalog, the focus shifts to the accountability of the private contractors who build these digital munitions in the first place.
Explore more exclusive insights at nextfin.ai.
