A set of advanced hacking tools initially utilized in government-associated operations targeting Apple iPhones has now found its way into the hands of cybercriminal groups, as per a recent Google blog post. The Google Threat Intelligence Group (GTIG) first encountered the exploit kit, dubbed Coruna, in February 2025 during an incident where a surveillance vendor tried to infiltrate an individual’s iPhone with spyware on behalf of a government client. Subsequently, the same toolkit was observed in a widespread campaign aimed at Ukrainian users, attributed to a Russian espionage group. Additionally, the tools were identified in the activities of a financially motivated hacker based in China.
The exact means by which the exploit kit disseminated beyond its initial user remains unclear. Google’s security experts, however, issued a warning about an emerging secondary market for “pre-owned” exploits, where previously developed tools are resold or repurposed by criminal entities looking to profit from them.
Mobile security company iVerify managed to acquire and analyze the Coruna toolkit. In their blog post, iVerify noted technical similarities that indicated potential connections to tools previously associated with the United States government. The company cautioned that as these capabilities become more widespread, the risk of unauthorized disclosure grows, increasing the likelihood of adoption by non-state threat actors.
According to Google, the Coruna framework strings together 23 distinct vulnerabilities, enabling attackers to compromise devices through up to five different avenues. The impacted devices include various iPhone models running iOS versions from 13 up to 17.2.1, which was launched in December 2023.
Certain aspects of Coruna bear resemblance to components identified in an earlier campaign named Operation Triangulation, uncovered by the cybersecurity firm Kaspersky in 2023.