Last week, the Google Threat Intelligence Group shared some information about the Coruna iPhone exploit. Users with outdated iOS versions were advised to update their software regularly. Now, a new interesting detail has emerged about this hacking campaign.
According to the new reports, the iPhone-hacking toolkit was developed by U.S. defense contractor L3Harris. It was believed to be exploited by Russian operatives and Chinese hackers for espionage and cryptocurrency theft. It originated in Ukraine and China.
Origins and Leaks of Coruna
Coruna was developed by L3Harris' Trenchant division, which markets advanced surveillance software exclusively to the U.S. and Five Eyes intelligence partners. Former Trenchant employees confirmed that some public modules closely match internal proprietary components, suggesting the toolkit fell into unauthorized hands.
Peter Williams, a former Trenchant manager, allegedly sold eight tools, including parts of Coruna, to a Russian broker, Operation Zero, for $1.3 million. These tools eventually reached Russian state-backed hackers, who targeted specific Ukrainian iPhone users, before spreading to Chinese cybercriminal groups.
L3Harris was also the same defense technology firm to receive a $40 million contract from the Pentagon. The contract was intended for the delivery of anti-drone weapon systems for Ukraine.
Read more: Global RAM Shortage Could Drive Smartphone Prices Higher, Push Budget Phones Out of the Market
Connection to Operation Triangulation
Security researchers from Google linked Coruna to Operation Triangulation, a 2023 campaign exploiting zero-day iOS vulnerabilities named Photon and Gallium.
Analysts noted strong similarities between Coruna modules and prior exploits, indicating that code originally intended for government intelligence operations was repurposed for broader cybercrime campaigns.
iOS Users Should Be Careful of the Coruna Exploit
According to TechCrunch, Coruna affected iOS devices running versions 13 through 17.2.1. Cybersecurity experts from iVerify and Kaspersky warn that state-grade tools, once leaked, can rapidly transition into criminal use, exposing millions of users worldwide to espionage and financial theft.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
