Coruna iPhone exploit kit tied to Russian spies likely came from stolen U.S. contractor tools

A powerful iPhone exploit kit called Coruna appears to have started as a Western government-grade capability before spreading to Russian spies and Chinese cybercriminals. Google says the toolkit contains five full iOS exploit chains and 23 exploits targeting iPhones running iOS 13.0 through 17.2.1, while TechCrunch reports that researchers now believe the tools likely originated with U.S. contractor L3Harris through its Trenchant division.

This is not just another spyware story. It is a case of advanced exploit tooling escaping its original chain of custody and ending up in much wider use. Google says Coruna first appeared in highly targeted operations run by a customer of a surveillance vendor, then showed up in watering hole attacks against Ukrainian users by suspected Russian espionage group UNC6353, and later in broad campaigns by China-based financially motivated actor UNC6691.

TechCrunch linked that broader spread to a separate case involving Peter Williams, the former general manager of Trenchant. Williams pleaded guilty to selling stolen hacking tools to Russian broker Operation Zero, and U.S. Treasury later said Operation Zero had acquired at least eight proprietary cyber tools created for the exclusive use of the U.S. government and select allies before reselling them to at least one unauthorized user.

That does not mean every detail of Coruna’s path is fully proven in public documents. Google says the exact proliferation route remains unclear. But the available evidence now points strongly in one direction: highly sophisticated iPhone exploitation tooling escaped from a tightly controlled ecosystem and started circulating far beyond its original intended users.

How Coruna spread

Google says Coruna was active across 2025 and moved through at least three distinct phases. It began in targeted operations by a customer of a surveillance vendor, then appeared in Russian-linked attacks against Ukrainian users, and finally surfaced in large-scale campaigns by a Chinese criminal actor.

iVerify, which independently analyzed the same toolkit, said its research corroborated Google’s findings and described Coruna as one of the clearest examples of spyware-grade capabilities moving from commercial surveillance vendors into the hands of nation-state actors and then mass-scale criminal operations.

That pattern makes this story more serious than a typical zero-day disclosure. The danger is not only the exploit kit itself. The danger is the reuse cycle. Once a toolkit like this leaks, different actors can repurpose the same framework for very different goals, from espionage to crypto theft. This is an inference supported by Google’s and iVerify’s descriptions of how Coruna moved across actors and use cases.

Why researchers think a U.S. contractor sat near the origin

TechCrunch reported that researchers tied Coruna to L3Harris’s hacking division, Trenchant, which sold offensive tools to the U.S. government and Five Eyes partners. In a separate case, Peter Williams, Trenchant’s former general manager, was sentenced after pleading guilty to selling stolen tools to Russian exploit broker Operation Zero.

The Treasury Department added more weight to that link when it announced sanctions on Operation Zero in February 2026. Treasury said the Russian broker acquired at least eight proprietary cyber tools created for the exclusive use of the U.S. government and select allies, then sold those stolen tools to at least one unauthorized user.

Google itself did not directly name L3Harris in its Coruna report. Instead, it said the exact path of proliferation was unclear. So the cleaner conclusion is this: Google confirmed the exploit kit’s use by Russian and Chinese actors, while TechCrunch, iVerify, Treasury, and the Williams case provide the strongest public evidence that stolen U.S.-linked contractor tools likely played a role in how Coruna spread.

What the toolkit can do

Google says Coruna targets iPhones running iOS 13.0 through 17.2.1 and includes five complete exploit chains built from 23 exploits. The company describes the toolkit as using advanced non-public exploitation techniques and mitigation bypasses. Google also says Coruna does not work against the latest version of iOS and strongly urged users to update.

iVerify’s analysis adds that the toolkit supports one-click compromise chains with Safari remote code execution followed by local privilege escalation. The company also said it found payloads aimed at financial theft, including modules targeted at cryptocurrency wallets.

Several parts of Coruna also overlap with previously exposed iPhone attack research. The Register, citing Kaspersky’s prior work on Operation Triangulation, noted that two internal exploit names associated with Coruna, Photon and Gallium, align with CVE-2023-32434 and CVE-2023-38606. Kaspersky’s own Operation Triangulation research confirms those CVEs played a role in that earlier espionage campaign.

Coruna at a glance

What iPhone users should do now

• Update to the latest version of iOS. Google says Coruna does not work on the latest iOS release.
• Turn on Lockdown Mode if you face elevated risk and cannot update immediately. Google recommends it, and Apple says Lockdown Mode is available under Settings, then Privacy & Security, then Lockdown Mode.
• Treat unexpected links and unfamiliar websites with extra caution, especially on older iPhones that may still run vulnerable versions. This is an inference based on Google’s and iVerify’s findings that Coruna was delivered through web-based exploit chains and watering hole infrastructure.

Why this story matters

Coruna shows what can happen when state-grade or contractor-grade cyber capabilities escape the small circle they were built for. Google’s report already showed the leap from espionage use to broader criminal campaigns. The Williams case and Treasury sanctions add a second warning: once stolen exploit tools enter the broker market, containment becomes much harder.

For years, the usual fear around iPhone zero-days focused on limited, high-end espionage. Coruna suggests that model may be changing. iVerify called it the first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation-state. That makes this less about a single campaign and more about the breakdown of the old assumption that elite mobile exploits stay elite for long.

FAQ