By rssfeeds-admin 
The case highlights how government‑grade iOS exploits can leak, be repurposed, and fuel global espionage and financially motivated attacks
Coruna: From Western spy tool to global threat
Google’s Threat Intelligence Group recently disclosed a powerful iOS exploit kit dubbed Coruna that chains together 23 exploits across five attack chains to compromise iPhones running iOS 13 through 17.2.1 via watering‑hole attacks.
Simply visiting a compromised website is enough to trigger remote code execution, sandbox escape, and kernel compromise on unpatched devices, allowing attackers to deploy payloads that can steal data, spy on victims, and even target cryptocurrency wallets.
According to Google, Coruna was first observed in “highly targeted” operations by an unnamed government customer of a commercial surveillance vendor, before being redeployed by Russian state hackers against select Ukrainian users and later abused at scale by a Chinese cybercrime group focused on financial theft.
This lifecycle shows a clear pattern: once elite zero‑day chains escape their original customer set, they quickly become part of a wider underground market of “second‑hand” exploits.
TechCrunch reports that two former employees of L3Harris’ hacking arm, Trenchant, independently recognized Coruna artifacts and internal naming, suggesting that at least parts of the toolkit were developed in‑house and sold exclusively to the U.S. government and its Five Eyes allies.
Researchers at mobile security firm iVerify separately assessed that Coruna was likely built by a company serving the U.S. government, although they stopped short of definitive attribution.
The emerging timeline overlaps with a major insider theft case at Trenchant involving former general manager Peter Williams, who was recently sentenced in the U.S. for stealing and selling eight offensive tools to Russian exploit broker Operation Zero for around $1.3 million.
U.S. prosecutors said these tools could have enabled access to “millions of computers and devices,” underscoring that they targeted widely deployed platforms like iOS.
Operation Zero, now sanctioned by the U.S. Treasury, claims to work with Russian government customers and at least one unauthorized buyer, thereby creating multiple pathways for Coruna‑linked exploits to reach Russian espionage groups and downstream cybercriminals.
Ties to Operation Triangulation
Part of Coruna’s codebase overlaps with exploits codenamed Photon and Gallium, the same vulnerabilities previously used as zero‑days in Operation Triangulation, a sophisticated campaign disclosed by Kaspersky in 2023 that targeted iPhones, including devices used inside Russia.
Google and iVerify report that Coruna embeds reusable modules for these bugs, and some experts believe that the exploit frameworks behind Triangulation and Coruna share common engineering patterns and modules, such as Plasma, Photon, and Gallium.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post iPhone Hacking Toolkit Used by Russian Spies Likely Developed by U.S. Contractor appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.