Security researchers have recently uncovered a suite of potent hacking tools that have the ability to compromise Apple iPhones running older software. These tools, which were initially used by a government customer, have now fallen into the hands of cybercriminals, posing a significant threat to users worldwide.
Google disclosed on Tuesday that it first detected the exploit kit, named Coruna, back in February 2025 during an incident where a surveillance vendor attempted to hack into a phone using spyware on behalf of a government client. Subsequently, the same exploit kit was observed targeting Ukrainian users in a large-scale campaign orchestrated by a Russian espionage group. Later on, it was also utilized by a financially motivated hacker in China.
The origin of how these tools leaked or spread remains unclear. However, Google’s security researchers have raised concerns about the emerging market for “second-hand” exploits, where these tools are sold to hackers seeking financial gain, thereby increasing the risk of exploitation.
The discovery highlights the potential dangers of exploits and backdoors that are initially developed for government use but eventually end up in the hands of cybercriminals or other malicious actors. Mobile security company iVerify, which obtained and reverse-engineered the hacking tools, indicated that the Coruna exploit kit bears similarities to hacking tools previously associated with the U.S. government.
According to iVerify, the widespread use of these tools increases the likelihood of leaks occurring. While there is evidence linking the Coruna exploit kit to the U.S. government, the company emphasized the risk of these tools being misused by malicious actors in the wild.
Google stated that the hacking tools within the Coruna kit are highly potent, capable of bypassing an iPhone’s defenses by simply visiting a malicious website containing the exploit code. This method, known as a “watering hole” attack, allows the kit to exploit 23 vulnerabilities in the iPhone’s system, enabling access to devices running iOS 13 up to 17.2.1.
The Coruna kit has components that were previously utilized in a hacking campaign known as Operation Triangulation. Kaspersky, a Russian cybersecurity firm, had reported in 2023 that the U.S. government had attempted to hack iPhones belonging to its employees using similar components.
While incidents of hacking tool leaks are rare, they have occurred in the past. In 2017, the U.S. National Security Agency discovered that tools developed to hack into Windows computers had been stolen. One such tool, EternalBlue, was later used in the infamous WannaCry ransomware attack by North Korea.
JS also highlighted a case involving Peter Williams, the former head of U.S. defense contractor L3Harris Trenchant, who was sentenced to over seven years in prison for stealing and selling eight exploits to a broker linked to the Russian government. These exploits had the capability to hack into millions of computers and devices globally, raising concerns about the potential impact on cybersecurity.
As the threat landscape continues to evolve, it is crucial for organizations and individuals to stay vigilant and implement robust security measures to protect against sophisticated cyber threats like the Coruna exploit kit.
