A powerful iPhone exploit kit named “Coruna,” initially created for Western intelligence by U.S. contractor L3Harris, has fallen into the hands of Russian spies and Chinese cybercriminals.
The Coruna toolkit features 23 different hacking components designed to compromise Apple iPhones.
Trenchant originally built it, the hacking division of U.S. military contractor L3Harris, for use by the United States and its Five Eyes intelligence allies.
However, the toolkit leaked when Peter Williams, a former Trenchant general manager, acted as an insider threat and stole eight of the company’s tools.
From 2022 to 2025, Williams sold these exploits for $1.3 million to Operation Zero, a sanctioned Russian exploit broker.
After acquiring the stolen tools, Operation Zero allegedly resold the spyware to unauthorized users.
This allowed a Russian espionage group, identified by Google as UNC6353, to deploy Coruna in targeted watering-hole attacks against Ukrainian iPhone users.
The sophisticated toolkit later changed hands again, eventually falling into the hands of Chinese cybercriminal gangs that launched broad-scale campaigns to steal money and cryptocurrency from unsuspecting victims.
Exploits and Operation Triangulation
Google and security firm iVerify confirmed that Coruna targets iPhone models running iOS 13 through 17.2.1.
The toolkit shares striking similarities with Operation Triangulation, a complex iPhone hacking campaign exposed by Kaspersky in 2023.
Specifically, Coruna reused two major internal exploits, Photon and Gallium, which were deployed as zero-day vulnerabilities in the Triangulation attacks.
Security researchers tied these specific Coruna exploit names to known iOS vulnerabilities.
“Photon” is linked to CVE-2023-32434 and is described as a privilege-escalation flaw involving an integer overflow in memory mapping, affecting iOS versions 14.5 to 15.7.6.
“Gallium” is linked to CVE-2023-38606 and is a hardware-focused weakness used to bypass Apple’s Page Protection Layer (PPL), affecting iOS versions spanning roughly iOS 14.x through 16.6.
As noted by independent security researcher Costin Raiu and highlighted by TechCrunch, the bird-themed internal names of Coruna’s modules, such as Cassowary and Sparrow, match the naming conventions of L3Harris’s hacking units.
Furthermore, Kaspersky’s custom logo for Operation Triangulation closely resembles the geometric L3Harris logo, subtly hinting at the contractor’s involvement.
While the exact path the exploits took remains murky, the leak highlights the severe risks when nation-state cyberweapons fall into the criminal underground.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
