The tool was first detected by security researchers at Google in February 2025 when it was used in an attempt to install spyware on an iPhone on behalf of a government client. In the following months, the same exploit toolkit appeared in a campaign attributed to a Russian espionage group and in a profit-driven operation conducted by cybercriminals operating from China.
Coruna is particularly dangerous because it combines as many as 23 vulnerabilities in iOS that can be exploited simultaneously. The exploit chain enables device compromise through multiple attack vectors, including so-called “watering hole attacks,” where victims are infected after visiting a compromised website. Simply opening such a page or clicking a malicious link may be enough to initiate the infection process.
According to an analysis by security firm iVerify, the tool may be linked to technologies developed by contractors working with the US government. Researchers point to similarities with components previously observed in the campaign known as Operation Triangulation, which had been associated with intelligence operations.
Experts warn that the leak of such tools could have serious consequences for global cybersecurity. History offers similar precedents – in 2017, the leak of exploits developed by the US National Security Agency led to worldwide ransomware attacks, including the notorious WannaCry incident.
The new findings also highlight the growing issue of the so-called “secondary exploit market,” where tools originally created for intelligence agencies eventually end up in criminal hands. Researchers warn that the more widely such technologies are used, the greater the risk that they will eventually escape government control and be deployed in attacks against ordinary users.