A sophisticated iPhone exploitation suite that hit targets from Europe to Asia appears to trace back to a US military contractor, according to multiple technical analyses and accounts from former employees. The toolkit, known as Coruna, was first documented by Google’s threat researchers, who linked it to targeted espionage and later to financially motivated cybercrime. Independent work by mobile security firm iVerify, along with corroboration from ex-staff at L3Harris’s Trenchant unit, suggests the tools share distinctive fingerprints with capabilities sold to US and allied intelligence services.
What Investigators Found in the Coruna iPhone Campaigns
Google’s Threat Analysis Group detailed Coruna as a modular suite of 23 components designed to compromise iPhones via browser and kernel-level exploits. Initially observed in pinpointed, government-grade operations attributed to a surveillance vendor’s client, the same tooling later appeared in campaigns run by a Russian espionage team that Google tracks as UNC6353. Those attacks used geofenced watering-hole sites to infect iPhones of selected Ukrainian users. The toolkit then surfaced in mass campaigns by Chinese cybercriminals that focused on draining money and cryptocurrency from victims.
Technically, Coruna targeted iOS installations from version 13 through 17.2.1, indicating a long-lived development timeline and regular exploit refreshes. Google and iVerify also flagged internal codenames for key exploit chains — notably Photon and Gallium — and a nomenclature pattern that included several bird-themed modules, a quirk that outside researchers say aligns with past tools from a US contractor lineage.
Suspected Origin Inside a US Government Offensive Program
iVerify’s analysts concluded that Coruna likely originated from a company that sells offensive tooling to the US government. Former employees of L3Harris’s offensive cyber arm, Trenchant, told reporters that Coruna matched an internal component name and that portions of the Google-described tradecraft were “familiar” from Trenchant’s iPhone work. Two former staffers said the overarching toolkit at Trenchant bundled multiple iOS exploit chains and modules under codenames consistent with what Google published.
L3Harris’s Trenchant unit is known for delivering exploits and surveillance technology exclusively to the US and its Five Eyes partners in Australia, Canada, New Zealand, and the United Kingdom. That tight customer circle has led researchers to infer a plausible path: a lawful purchase by an allied service that later, through theft or resale, escaped into the broader exploit market. Public reporting has previously tied a predecessor firm, Azimuth, to an FBI iPhone access tool, and investigators note the recurring use of avian codenames in both cases. L3Harris did not comment on the Coruna findings.
The Insider Leak and the Global Exploit Resale Market
A high-profile insider case helps explain how a Five Eyes–grade capability could land in foreign hands. Former Trenchant general manager Peter Williams admitted to stealing and selling eight proprietary hacking tools to the Russian broker Operation Zero for $1.3 million. He received a seven-year prison sentence. Prosecutors said Williams abused “full access” to internal systems and warned that the stolen tools could enable access to millions of devices worldwide.
The US Treasury later sanctioned Operation Zero, alleging the broker sold Williams’s tools to at least one unauthorized buyer and maintained ties to members of the Trickbot ransomware syndicate. That alleged distribution chain mirrors the observed life cycle of Coruna: initial use in covert intelligence operations, subsequent deployment by a Russian espionage unit, and, finally, commoditization by criminal actors hunting for quick payouts. In separate filings, investigators said Williams recognized his own code resurfacing via another broker, underscoring how rapidly top-tier exploits can ricochet through gray markets once control is lost.
Overlap With Operation Triangulation in Key Exploit Chains
Google’s team assessed that two Coruna exploit chains — Photon and Gallium — overlapped with those used in Operation Triangulation, a sophisticated iPhone campaign originally publicized by Kaspersky and widely believed to have targeted Russian users, including diplomats. Security researchers also point to a third module, Plasma, as structurally similar to components discussed around Triangulation. Analysts such as Costin Raiu have highlighted the naming conventions as additional breadcrumbs pointing toward the same development lineage.
Kaspersky has avoided formal attribution in Triangulation and cautioned that sharing the same vulnerabilities is not conclusive proof of common authorship, especially once technical details become public. That caveat matters: exploit chains often spread quickly after disclosure or theft, and different operators can repackage the same bugs. Still, the combined signals — module structure, naming patterns, and timing relative to the Williams leak — have convinced several veteran researchers that Coruna and Triangulation draw from the same toolkit family.
Why This Matters for iPhone Security and Public Policy
Coruna’s journey from a tightly controlled government program to Russian spies and then to profit-driven criminals captures a core risk of the modern exploit economy: once code escapes, it rarely goes back in the box. iOS hardening and rapid patching have raised costs for attackers, but the global market for zero-day chains still offers seven-figure payouts that incentivize insiders and brokers.
For high-risk users, security experts continue to recommend keeping iOS fully updated, enabling Lockdown Mode where appropriate, and treating unexpected website prompts and profile installs with extreme caution. For policymakers, the episode renews questions about how governments can leverage commercial hacking tools without inadvertently fueling the same threat ecosystem they are trying to contain.
