Coruna: The iPhone Exploit Toolkit’s Journey from U.S. Intelligence to Global Cyber Threat
In a startling revelation, the Coruna iPhone exploit toolkit, originally developed by U.S. military contractor L3Harris for Western intelligence operations, has been co-opted by Russian espionage agents and Chinese cybercriminals. This sophisticated suite comprises 23 distinct hacking modules designed to infiltrate Apple iPhones.
L3Harris’s hacking division, Trenchant, crafted Coruna for deployment by the United States and its Five Eyes intelligence partners. However, the toolkit’s security was compromised when Peter Williams, a former general manager at Trenchant, illicitly obtained eight of the company’s tools. Between 2022 and 2025, Williams sold these exploits to Operation Zero, a Russian exploit broker under sanctions, for $1.3 million.
Operation Zero subsequently redistributed the spyware to unauthorized entities. This breach enabled a Russian espionage group, identified by Google as UNC6353, to execute targeted watering-hole attacks against Ukrainian iPhone users. The toolkit’s proliferation continued, eventually reaching Chinese cybercriminal organizations that launched extensive campaigns to pilfer funds and cryptocurrencies from unsuspecting individuals.
Exploits and Operation Triangulation
Security firms, including Google and iVerify, have confirmed that Coruna targets iPhone models operating on iOS versions 13 through 17.2.1. The toolkit exhibits notable parallels to Operation Triangulation, a complex iPhone hacking campaign uncovered by Kaspersky in 2023. Specifically, Coruna incorporates two significant internal exploits, Photon and Gallium, which were utilized as zero-day vulnerabilities in the Triangulation attacks.
Researchers have linked these Coruna exploit names to known iOS vulnerabilities. Photon corresponds to CVE-2023-32434, a privilege-escalation flaw involving an integer overflow in memory mapping, affecting iOS versions 14.5 to 15.7.6. Gallium is associated with CVE-2023-38606, a hardware-centric vulnerability used to bypass Apple’s Page Protection Layer (PPL), impacting iOS versions approximately from 14.x through 16.6.
Independent security researcher Costin Raiu and TechCrunch have noted that the bird-themed internal names of Coruna’s modules, such as Cassowary and Sparrow, align with the naming conventions of L3Harris’s hacking units. Additionally, Kaspersky’s custom logo for Operation Triangulation bears a resemblance to L3Harris’s geometric logo, subtly indicating the contractor’s involvement.
While the exact trajectory of the exploits remains unclear, this incident underscores the grave risks associated with nation-state cyberweapons falling into the hands of criminal entities.
