By Titik Puspa 
A sophisticated suite of hacking tools, originally developed for government intelligence operations and capable of compromising iPhones running older software, has tragically transitioned from state-sponsored use into the hands of cybercriminals, according to a stark warning issued by security researchers. This alarming proliferation highlights a burgeoning, and deeply concerning, market for "secondhand" exploits, where powerful surveillance capabilities are being resold and repurposed for malicious, financially driven purposes.
Google’s Threat Intelligence team first unearthed this potent exploit kit, codenamed "Coruna," in February 2025. Their initial discovery occurred during a targeted attack orchestrated by a surveillance vendor on behalf of a government client, aiming to infiltrate a specific individual’s iPhone. The sophisticated nature of the exploit immediately raised red flags. However, the true scope of its threat became more apparent months later when the same Coruna exploit kit was identified in a broad-scale espionage campaign targeting Ukrainian users, attributed to a Russian intelligence group. The trajectory of its misuse continued to widen as it was subsequently found in the arsenal of a financially motivated hacker operating out of China, demonstrating a chilling adaptability and reach across different threat actor types and geographic locations.
The exact pathways through which these powerful tools leaked and proliferated remain opaque, fueling speculation and underscoring the inherent risks associated with developing and deploying such advanced cyber capabilities. Nevertheless, Google’s security researchers have articulated a clear concern: the emergence of a lucrative secondary market where exploits, once held exclusively by governments or their contractors, are being sold to hackers motivated by financial gain. This "secondhand" market allows for the extraction of maximum value from each exploit, as they are repackaged and deployed against a wider array of targets, often with less sophisticated defenses.
This alarming trend underscores a critical vulnerability in the cybersecurity ecosystem: the potential for exploits and backdoors, meticulously crafted for government intelligence gathering, to escape secure environments and be maliciously abused by cybercriminals and other non-state actors. The implications are profound, suggesting that the very tools designed to protect national security could be weaponized against civilians and critical infrastructure.
Further investigation by mobile security company iVerify provided crucial insights into the Coruna exploit kit. After obtaining and meticulously reverse-engineering the hacking tools, iVerify published a blog post detailing their findings. Based on significant similarities to previously identified hacking tools attributed to the United States government, iVerify stated that they linked the Coruna exploit kit to U.S. government origins. This assertion, if accurate, paints a particularly troubling picture of how highly classified government cyber tools can inadvertently find their way into the public domain.
"The more widespread the use, the more certain a leak will occur," iVerify stated in their analysis, emphasizing the inherent risks associated with the broad deployment of such advanced cyber weaponry. "While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors." This sentiment highlights the double-edged sword of advanced cyber capabilities; while they can be invaluable for national security, their very power and complexity make them attractive targets for theft and resale.
The Coruna hacking tools are described as exceptionally potent due to their ability to bypass an iPhone’s robust security defenses with alarming ease. The exploit can be triggered simply by a user visiting a malicious website containing the exploit code, a technique commonly referred to as a "watering hole" attack. This means that even receiving a seemingly innocuous malicious link, which then redirects to such a compromised website, can be enough to initiate the attack. According to Google’s research, the Coruna kit is capable of compromising an iPhone through five distinct attack vectors, leveraging a formidable arsenal of 23 separate vulnerabilities. These vulnerabilities can be chained together, creating a complex and highly effective attack pathway. The scope of affected devices is significant, encompassing iPhone models running iOS versions from iOS 13 all the way up to iOS 17.2.1, which was released in December 2023. This wide range of affected versions means that a substantial number of iPhones, even those running relatively recent software updates, could be vulnerable.
The initial reporting on the Coruna kit was published by Wired, which revealed that the kit contains components previously utilized in a hacking campaign dubbed "Operation Triangulation." This connection is significant because, in 2023, Russian cybersecurity firm Kaspersky claimed that the U.S. government had attempted to hack several iPhones belonging to its employees. The overlapping components suggest a potential continuity or evolution of U.S. government hacking methodologies, which have now evidently been compromised and made available to other actors.
While leaks of highly sensitive hacking tools are thankfully rare, they are not unprecedented. A prominent historical example occurred in 2017 when the U.S. National Security Agency (NSA) discovered that sophisticated tools it had developed for hacking into Windows computers globally had been stolen. The leaked Windows backdoor, infamously known as "EternalBlue," was subsequently published and exploited by cybercriminals in a devastating wave of subsequent attacks. The most notable of these was the 2017 WannaCry ransomware attack, widely attributed to North Korea, which crippled systems worldwide and caused billions of dollars in damages. This historical precedent serves as a stark reminder of the long-term consequences of such leaks.
More recently, TechCrunch has reported on a case that further illustrates the dangers of insider threats and the illicit trade in cyber exploits. Peter Williams, the former head of the U.S. defense contractor L3Harris Trenchant, was sentenced to over seven years in prison after pleading guilty to stealing and selling eight exploits to a broker known to be affiliated with the Russian government. According to prosecutors, Williams’ actions involved selling exploits capable of compromising "millions of computers and devices" globally. The indictment further revealed that at least one of these exploits was sold to a South Korean broker. The crucial question of whether these exploits were ever disclosed to the software makers for patching, or if they remain unaddressed vulnerabilities in the wild, remains unclear, adding another layer of uncertainty and potential risk.
The Coruna incident, alongside these historical and recent examples, paints a grim picture of the evolving landscape of cyber threats. The blurring lines between government intelligence tools and criminal arsenals, coupled with the lucrative nature of exploit markets, present a formidable challenge to global cybersecurity. The proliferation of such powerful tools necessitates a renewed focus on securing these capabilities, enhancing intelligence sharing, and fostering international cooperation to combat the ever-present threat of state-sponsored and financially motivated cybercrime. The implications for individual privacy, national security, and the stability of the digital world are profound, demanding immediate attention and robust countermeasures.
The ease with which Coruna can compromise iPhones, even those running relatively recent iOS versions, underscores the constant arms race between exploit developers and security defenders. The reliance on chaining multiple vulnerabilities highlights the sophisticated understanding required to build such exploit kits, further emphasizing the value and danger of their diffusion into the black market. As researchers continue to analyze the Coruna kit and its origins, the cybersecurity community will be watching closely for any further revelations about its spread and potential impact. The incident serves as a critical case study in the inherent risks of developing and deploying powerful offensive cyber tools and the urgent need for stringent controls and oversight to prevent them from falling into the wrong hands. The future of cybersecurity hinges on our ability to learn from these breaches and adapt our defenses accordingly.