Coruna exploit kit: Suspected government hacking tools surface in cybercriminal hands

A powerful suite of hacking tools, dubbed Coruna, capable of compromising iPhones running older software, has transitioned from government use to cybercriminal hands, according to security researchers. Google first identified the exploit kit in February 2025 during an attempted hack by a surveillance vendor on behalf of a government customer. The same kit was later found targeting Ukrainian users in a campaign by a Russian espionage group, and subsequently used by a financially motivated hacker in China, with further coverage provided by TechCrunch.

The Coruna exploit kit utilizes a "watering hole" attack method, where visiting a malicious website containing the exploit code can bypass an iPhone's defenses. It leverages 23 separate exploits to compromise devices running iOS versions from 13 up to 17.2.1. Security firm iVerify, which reverse-engineered the tools, linked them to the U.S. government based on similarities to previously attributed hacking tools. Components of the Coruna kit were also reportedly used in the "Operation Triangulation" campaign, previously linked to Russian espionage efforts against iPhones belonging to Kaspersky employees.

The proliferation of Coruna highlights a growing concern over "secondhand" exploits, where tools designed for government surveillance are leaked and abused by cybercriminals for financial gain. The incident echoes past leaks, such as the NSA's EternalBlue exploit, which was later used in widespread ransomware attacks.

Source: TechCrunch