The Coruna exploit kit, first used by a surveillance vendor, is now circulating among cybercriminals—raising alarms about a growing “secondhand exploit” economy.
A powerful iPhone hacking toolkit has escaped government control
Security researchers say a sophisticated suite of iPhone hacking tools once used by governments is now circulating among cybercriminals.
The exploit framework, known as Coruna, can compromise iPhones running older versions of iOS simply by tricking users into visiting a malicious website.
Google researchers first detected the tool in February 2025 during an attempted spyware attack conducted by a surveillance vendor on behalf of a government client.
Soon after, the same exploit kit surfaced in other campaigns.
- A Russian espionage group targeting Ukrainian users
- A financially motivated hacker in China
- Multiple campaigns using the same underlying exploit framework
The spread suggests a troubling reality: government-grade cyberweapons are slipping into the wider hacking ecosystem.
How Coruna breaks into iPhones
According to Google, Coruna is particularly dangerous because it requires minimal user interaction.
The exploit works through a “watering hole” attack—a compromised website that silently deploys the exploit when someone visits.
Once triggered, the toolkit chains together 23 separate vulnerabilities.
This allows attackers to bypass Apple’s security protections and gain deep access to the device.
Key technical details include:
- Five separate exploit paths targeting iOS vulnerabilities
- Affected devices running iOS 13 through iOS 17.2.1
- iOS 17.2.1 released in December 2023
In practice, this means millions of older devices could potentially be at risk.
Think of the exploit kit as a digital lockpick set—instead of one tool, it carries dozens designed to break different parts of Apple’s defenses.
A suspected link to U.S. government tools
Mobile security firm iVerify obtained and reverse-engineered the Coruna toolkit.
The company says the framework closely resembles previous hacking tools attributed to the U.S. government.
While the exact origin remains uncertain, researchers warn the bigger issue is not attribution—but leakage.
“The more widespread the use, the more certain a leak will occur,” iVerify wrote.
Even if the tools began as state-controlled cyberweapons, history shows they rarely stay contained.
Once exposed, they can rapidly circulate through underground exploit markets.
Ties to earlier espionage campaigns
Parts of the Coruna toolkit appear linked to components used in Operation Triangulation, a 2023 hacking campaign.
That operation targeted iPhones belonging to employees of Russian cybersecurity firm Kaspersky.
Russia’s security service, the FSB, later blamed the attacks on the U.S. government.
Whether the same exploit chain evolved into Coruna remains unclear. But the overlap suggests some shared technical lineage.
For security researchers, it highlights a familiar pattern: tools created for espionage eventually migrate into broader cybercrime.
The growing market for “secondhand exploits”
Google warns that a new market is emerging for recycled government exploits.
Instead of remaining exclusive to intelligence agencies, vulnerabilities may now be sold multiple times—first to governments, then to criminal buyers.
The incentive is simple: maximize profit from a rare exploit.
This trend echoes past incidents.
- In 2017, the NSA’s Windows exploit EternalBlue leaked and later powered the devastating WannaCry ransomware attack.
- The attack infected hundreds of thousands of systems worldwide within days.
Recent legal cases reinforce the concern.
Former defense contractor executive Peter Williams, once head of L3Harris Trenchant, was sentenced to over seven years in prison after admitting he stole and sold eight exploits to brokers connected to Russia.
Prosecutors said those exploits could hack millions of devices worldwide.
Why this matters for iPhone security
Apple’s security model relies heavily on rapid patching and strict platform controls.
But once exploits escape into the wild, they can circulate long after the original government operation ends.
For users and organizations, the takeaway is simple:
- Keep devices updated to the latest iOS versions
- Avoid clicking unknown links or visiting suspicious websites
- Treat unexpected links as potential attack vectors
Because when cyberweapons designed for espionage spill into criminal markets, the target list expands dramatically.
What starts as a state surveillance tool can quickly become a global cybercrime weapon.
TL;DR:
Researchers discovered the Coruna exploit kit, a government-grade iPhone hacking toolkit now used by cybercriminals. First detected in a spyware attack tied to a government client, the tool exploits 23 vulnerabilities affecting iOS 13–17.2.1. Experts warn it signals a growing market for leaked “secondhand exploits.”
AI summary
- Coruna exploit kit can hack iPhones via malicious websites.
- Uses 23 vulnerabilities affecting older iOS versions.
- Initially seen in a government-linked spyware operation.
- Later used by Russian espionage and Chinese cybercriminals.
- Signals rise of a secondhand exploit marketplace.
