A highly advanced iPhone hacking toolkit, originally developed for Western intelligence agencies, has leaked into the hands of Russian spies and Chinese cybercriminals.
The exploit framework, known internally as “Coruna,” was likely created by Trenchant, the hacking and surveillance division of U.S. defense contractor L3Harris.
This major breach demonstrates how strictly controlled military cyber weapons can cascade into the broader threat landscape.
The L3Harris Leak and Operation Zero
Coruna consists of 23 distinct software components designed to silently compromise Apple devices running iOS 13 through 17.2.1.
Security researchers from Google and mobile security firm iVerify reported that the toolkit was initially built for an unnamed government surveillance customer. However, the exclusive software did not stay completely hidden.
Between 2022 and mid-2025, Peter Williams, the former general manager of Trenchant, illicitly acquired at least eight of the company’s protected hacking tools, as reported by Techcrunch.
Taking advantage of his top-level access, Williams sold these exploits for $1.3 million to Operation Zero, a sanctioned Russian broker that supplies zero-day vulnerabilities exclusively to the Russian government. Williams was recently sentenced to seven years in federal prison for the theft.
Following this massive leak, a Russian espionage group tracked by Google as UNC6353 deployed Coruna to target iPhones belonging to individuals in Ukraine.
U.S. Treasury officials noted that Operation Zero also had ties to the Trickbot ransomware gang, suggesting the tools were shared with financially motivated hackers.
Eventually, the powerful exploit framework migrated again, reaching Chinese cybercriminal networks that used it for broad-scale financial theft and cryptocurrency operations.
Links to Operation Triangulation
Technical analysis reveals undeniable connections between the Coruna framework and “Operation Triangulation,” a sophisticated 2023 cyber espionage campaign that originally targeted the iPhones of Russian diplomats.
According to Google’s threat intelligence team, two specific Coruna exploit chains, internally named Photon and Gallium by their developers, were utilized as zero-day vulnerabilities during this operation.
Researchers also identified deep structural similarities in a third toolkit module known as Plasma.
The toolkit’s various components frequently use bird-related codenames, such as Cassowary and Terrorbird.
This is a known naming convention of Azimuth Security, a startup that L3Harris previously acquired and merged into its Trenchant division.
While prominent cybersecurity firms like Kaspersky have not officially attributed Operation Triangulation to a specific Western government, the exact timeline of Coruna’s development and Williams’s data theft strongly align with the spyware’s real-world deployment.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
