Security researchers have discovered a powerful set of iPhone hacking tools that appear to have leaked from a government customer and are now being used by cybercriminals and espionage groups.
Google said it first identified the exploit kit, called Coruna, in February 2025 when a surveillance vendor attempted to use spyware to hack a phone on behalf of a government client. Months later, the same tools were spotted in a large campaign targeting Ukrainian users carried out by a Russian espionage group. Researchers later found the exploit kit being used by a financially motivated hacker operating from China.
It is still unclear how the hacking tools leaked or spread beyond their original customer. However, Google researchers warned that a growing market for secondhand exploits may be emerging. In this market, vulnerabilities originally developed for government use are resold or reused by hackers looking to profit from them.
Mobile security company iVerify analyzed the Coruna exploit kit and said it found evidence linking the tools to the U.S. government. The company based its conclusion on similarities between Coruna and other hacking tools previously attributed to U.S. intelligence operations. iVerify said the broader issue is not just the possible origin of the tools, but the risk that such capabilities eventually leak and spread.
Researchers explained that the more widely these tools are used, the higher the chance that they will escape into the wild. Once leaked, they can be reused by criminals, espionage groups, or other non state actors.
Google described the exploit kit as extremely powerful. Attackers can compromise an iPhone simply by getting the target to visit a malicious website containing the exploit code. This type of attack is often called a watering hole attack, where victims are directed to a compromised site that silently installs spyware.
The Coruna toolkit can break into iPhones in five different ways by chaining together a total of 23 vulnerabilities. The exploits affect devices running iOS 13 through iOS 17.2.1, which was released in December 2023.
According to reports, parts of the Coruna toolkit resemble components used in an earlier hacking campaign known as Operation Triangulation. In 2023, Russian cybersecurity firm Kaspersky claimed that the U.S. government had attempted to hack several iPhones belonging to its employees using similar techniques.
Leaks of advanced government hacking tools are rare but not unprecedented. In 2017, tools developed by the U.S. National Security Agency were stolen and later released online. One of those tools, known as EternalBlue, was eventually used in major cyberattacks including the WannaCry ransomware outbreak that spread worldwide.
Another recent case involved Peter Williams, a former executive at the U.S. defense contractor L3Harris Trenchant. He was sentenced to more than seven years in prison after admitting that he stole and sold eight hacking exploits to a broker believed to work with the Russian government.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Prosecutors said the exploits Williams sold were capable of hacking millions of computers and devices worldwide. At least one of the exploits was reportedly sold to a broker in South Korea, and it remains unclear whether those vulnerabilities were ever reported to software makers or patched.
