An advanced iPhone exploit toolkit known as ‘Coruna’, originally developed for Western intelligence purposes by U.S. contractor L3Harris, has reportedly been obtained by Russian espionage agents and Chinese cybercriminals. This development raises significant concerns within the cybersecurity community.
Origins and Development of the Coruna Toolkit
The Coruna toolkit comprises 23 hacking modules specifically designed to target Apple iPhones. This sophisticated set of tools was developed by Trenchant, the hacking division of U.S. military contractor L3Harris, intended for use by the United States and its allies in the Five Eyes intelligence alliance.
The toolkit’s integrity was compromised when Peter Williams, a former general manager at Trenchant, allegedly stole eight critical components. Between 2022 and 2025, Williams sold these tools for $1.3 million to Operation Zero, a Russian entity known for dealing in exploits.
Unauthorized Distribution and Use
After acquiring the Coruna toolkit, Operation Zero reportedly redistributed the exploits to unauthorized users. This allowed a Russian espionage group identified by Google as UNC6353 to use Coruna in targeted attacks on Ukrainian iPhone users. Eventually, the toolkit made its way into the hands of Chinese cybercrime groups, who utilized it in extensive campaigns to steal financial assets, including cryptocurrency.
Technical Details and Security Implications
Coruna targets iPhone models with iOS versions ranging from 13 to 17.2.1, according to confirmations from Google and security firm iVerify. The toolkit bears a strong resemblance to the Operation Triangulation hacking campaign, which was revealed by Kaspersky in 2023.
In particular, Coruna incorporates two significant exploits: Photon and Gallium. Photon, linked to CVE-2023-32434, exploits a privilege-escalation flaw involving memory mapping, while Gallium, associated with CVE-2023-38606, targets hardware to bypass Apple’s Page Protection Layer.
The internal names of these exploits, such as Cassowary and Sparrow, mirror the naming conventions used by L3Harris, suggesting a connection. Moreover, Kaspersky’s logo for Operation Triangulation bears a resemblance to that of L3Harris, hinting at the contractor’s involvement.
The leak of these exploits underscores the dangers posed when state-level cyberweapons are exposed to criminal networks. The mechanisms by which these tools spread remain unclear, emphasizing the need for stringent cybersecurity measures.
Stay informed with the latest updates in cybersecurity by following us on Google News, LinkedIn, and X. Reach out to us if you have stories to share.
