Recent findings by security experts reveal a sophisticated suite of hacking tools designed for government use that have now fallen into the hands of cybercriminals. These tools target Apple iPhones running outdated software, raising significant concerns about mobile security.
Google's security team identified this exploit kit, named Coruna, back in February 2025 during an operation where a surveillance vendor attempted to infiltrate a phone on behalf of a government client. Subsequent investigations uncovered its use in a widespread campaign against Ukrainian users by a Russian espionage group, as well as by financially motivated hackers in China.
The exact circumstances surrounding the leak of these tools remain unclear. However, researchers at Google have highlighted an emerging market for "second-hand" exploits, which are sold to hackers eager to capitalize on these vulnerabilities. This situation underscores the risk that tools originally intended for state use can be repurposed for malicious activities by non-state actors.
iVerify, a mobile security firm that has reverse-engineered these hacking tools, suggests a link between the Coruna kit and the U.S. government, based on its similarities to previously identified U.S. hacking tools. They noted, "The more widespread the use, the more certain a leak will occur." This emphasizes the potential for such tools to be misused by unscrupulous individuals.
Google's analysis indicates that these hacking tools are particularly potent, capable of breaching an iPhone's defenses simply by visiting a malicious website--an attack method known as a "watering hole" attack. The Coruna kit can exploit an iPhone through five distinct methods, utilizing a complex chain of 23 vulnerabilities. Devices affected include iPhones operating on iOS versions from 13 up to 17.2.1, which was released in December 2023.
Notably, the Coruna kit incorporates elements previously associated with a hacking initiative called Operation Triangulation. Reports from cybersecurity firms have indicated that these tools were employed in attempts to access the iPhones of employees at various organizations.
While instances of hacking tool leaks are uncommon, they are not unprecedented. In 2017, tools developed by the U.S. National Security Agency (NSA) for hacking Windows systems were stolen and subsequently used in cyberattacks worldwide, including the notorious WannaCry ransomware incident.
These developments serve as a reminder of the importance of maintaining robust cybersecurity measures, as the line between government-sanctioned tools and those available to malicious actors continues to blur.