Security researchers have uncovered a powerful exploit toolkit capable of compromising iPhones running older software versions, raising concerns that government-developed hacking tools may have leaked into the hands of cybercriminals.
The toolkit, called Coruna, was first identified in February 2025 by researchers at Google during an attempt by a surveillance vendor to install spyware on a target device on behalf of a government client. Researchers later observed the same exploit kit used in broader attacks targeting Ukrainian users and in a separate campaign by a financially motivated hacker in China.
Emerging Market For Secondhand Exploits
Google said the repeated appearance of the Coruna toolkit suggests an emerging secondary market where advanced cyber-espionage tools are resold after their initial use.
Researchers warned that exploits originally developed for intelligence or law enforcement operations can spread beyond their intended users and eventually be used by criminal groups or other non-state actors.
Mobile security firm iVerify analyzed and reverse engineered the toolkit. The company said similarities between Coruna and previously documented hacking frameworks suggest the tools may have originated from a U.S. government program.
“The more widespread the use, the more certain a leak will occur,” iVerify said in a blog post, adding that the broader risk is that such tools inevitably “find their way into the wild.”
How The Coruna Exploit Works
According to Google researchers, the Coruna toolkit is capable of compromising an iPhone simply when a user visits a malicious website, a technique commonly known as a watering hole attack.
The exploit kit contains multiple attack pathways, allowing attackers to compromise devices through five separate exploit chains. In total, the toolkit relies on 23 vulnerabilities to bypass Apple’s security protections.
Devices running versions of iOS from iOS 13 through iOS 17.2.1, released in December 2023, may be affected if they remain unpatched.
Links To Previous Spyware Campaigns
According to reporting by Wired, components of the Coruna toolkit resemble those used in Operation Triangulation, a sophisticated hacking campaign uncovered in 2023.
At the time, Russian cybersecurity company Kaspersky said the operation targeted several iPhones belonging to its employees and attributed the campaign to the U.S. government.
History Of Leaked Government Cyber Tools
The discovery echoes previous cases in which state-developed hacking tools leaked into the wider cybercrime ecosystem.
In 2017, the National Security Agency confirmed that a hacking tool known as EternalBlue had been stolen. The exploit targeted Windows computers and was later used in several cyberattacks, including the global WannaCry ransomware attack attributed to North Korea.
Separately, former defense contractor executive Peter Williams of L3Harris Technologies was sentenced to more than seven years in prison after pleading guilty to stealing and selling multiple software exploits to brokers linked to the Russian government.
Prosecutors said the exploits Williams sold were capable of hacking millions of computers and connected devices worldwide. It remains unclear whether those vulnerabilities were disclosed to software developers or subsequently patched.
Featured image credits: Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.