Coruna iPhone exploit toolkit used in cyber espionage attacks

A sophisticated iPhone exploit toolkit called “Coruna”, originally developed for Western intelligence agencies, has reportedly ended up in the hands of Russian spies and Chinese cybercriminals. The toolkit was created by L3Harris Technologies through its Trenchant hacking division and contains 23 components designed to compromise Apple iPhones. The tools were intended for use by the United States and its Five Eyes intelligence partners but were leaked after a former manager allegedly stole several internal exploits and sold them to a Russian exploit broker.

Coruna iPhone exploit toolkit used in cyber espionage attacksCoruna iPhone exploit toolkit used in cyber espionage attacks

Between 2022 and 2025, the stolen tools were reportedly sold for $1.3 million to Operation Zero, a sanctioned Russian exploit marketplace. After acquiring the exploits, the broker allegedly resold them to other groups, allowing a Russian espionage group known as UNC6353 to launch watering-hole attacks targeting Ukrainian iPhone users. The toolkit later circulated further, eventually being used by Chinese cybercriminal gangs in large-scale campaigns to steal money and cryptocurrency.

Coruna iPhone exploit toolkit used in cyber espionage attacksCoruna iPhone exploit toolkit used in cyber espionage attacks

Security researchers say Coruna targets iPhones running iOS 13 to iOS 17.2.1 and shares similarities with Operation Triangulation uncovered in 2023. Two internal exploits—Photon and Gallium—match known iOS vulnerabilities used in that campaign. Experts warn that the incident highlights the serious risks when advanced government-developed cyber tools leak into the criminal underground.
 

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net