Security experts have uncovered a sophisticated hacking toolkit, named Coruna, which has made its way from a government entity to the hands of cybercriminals, targeting iPhones running older software versions. According to Google, the toolkit was initially detected in early 2025 during an alleged surveillance operation linked to a government client. Subsequent investigations revealed its use in a widespread attack against Ukrainian users orchestrated by a Russian espionage group and later by financially motivated hackers in China.
The exact method of how these hacking tools became available to criminals remains unclear. However, Google researchers highlighted a troubling trend of “secondhand” exploits, which are increasingly sold to rogue actors looking to exploit vulnerabilities for profit. Mobile security firm iVerify analysed the toolkit and linked it to U.S. governmental hacking frameworks, based on its technical features resembling known U.S.-developed tools.
iVerify stated, “The wider the usage of such tools, the greater the likelihood of a leak.” They expressed concern that even if the Coruna toolkit has ties to the U.S. government, it could easily fall into the wrong hands and be misused.
The Coruna toolkit is particularly dangerous as it can infiltrate iPhones simply by visiting a malicious website, employing what is known as a “watering hole” attack. It can exploit multiple vulnerabilities, utilising up to 23 different weaknesses to compromise devices running iOS versions from 13 up to 17.2.1, released in December 2023.
Notably, components of the Coruna kit were previously linked to a hacking effort known as Operation Triangulation, which involved attempts to breach iPhones of employees at a Russian cybersecurity firm. The Russian FSB blamed these breaches on U.S. intelligence efforts.
Despite being uncommon, the leak of hacking tools has occurred in the past. In 2017, the U.S. National Security Agency reported the theft of hacking tools that enabled attacks on Windows computers globally. These tools, including the infamous EternalBlue exploit, later became instrumental in the WannaCry ransomware attack.
Further emphasizing the risks of exploit proliferation, TechCrunch recently highlighted the case of Peter Williams, a former head of a U.S. defense contractor, who was sentenced to over seven years in prison for selling multiple exploits to a broker associated with the Russian government. These exploits had the potential to compromise millions of devices worldwide.
The evolving landscape of cybersecurity reveals a disturbing trend whereby government-grade hacking tools transition into the realm of cybercriminals, posing significant risks to users and systems globally. As hackers continue to exploit such tools, the need for heightened security measures and swift updates becomes increasingly pressing.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
