iPhone Exploit Toolkit Used by Russian Spies Likely Originated from U.S. Contractor
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A powerful iPhone exploit kit named \u201cCoruna,\u201d<\/a> initially created for Western intelligence by U.S. contractor L3Harris, has fallen into the hands of Russian spies and Chinese cybercriminals.\u200b<\/p>\n The Coruna toolkit features 23 different hacking components designed to compromise Apple iPhones.<\/p>\n Trenchant originally built it, the hacking division of U.S. military contractor L3Harris, for use by the United States and its Five Eyes intelligence allies.\u200b<\/p>\n However, the toolkit leaked when Peter Williams, a former Trenchant general manager, acted as an insider threat and stole eight of the company\u2019s tools.<\/p>\n From 2022 to 2025, Williams sold these exploits for $1.3 million to Operation Zero, a sanctioned Russian exploit broker.<\/p>\n After acquiring the stolen tools, Operation Zero allegedly resold the spyware to unauthorized users<\/a>.<\/p>\n This allowed a Russian espionage group, identified by Google as UNC6353, to deploy Coruna in targeted watering-hole attacks<\/a> against Ukrainian iPhone users.<\/p>\n The sophisticated toolkit later changed hands again, eventually falling into the hands of Chinese cybercriminal gangs that launched broad-scale campaigns to steal money and cryptocurrency from unsuspecting victims<\/a>.\u200b<\/p>\n Google and security firm iVerify confirmed that Coruna targets iPhone models running iOS 13 through 17.2.1.<\/p>\n The toolkit shares striking similarities with Operation Triangulation, a complex iPhone hacking campaign exposed by Kaspersky<\/a> in 2023.<\/p>\n Specifically, Coruna reused two major internal exploits, Photon and Gallium, which were deployed as zero-day vulnerabilities in the Triangulation attacks.<\/p>\n Security researchers tied these specific Coruna exploit names to known iOS vulnerabilities.<\/p>\n \u201cPhoton\u201d is linked to CVE-2023-32434<\/a> and is described as a privilege-escalation flaw involving an integer overflow in memory mapping, affecting iOS versions 14.5 to 15.7.6.<\/p>\n \u201cGallium\u201d is linked to CVE-2023-38606 and is a hardware-focused weakness used to bypass Apple\u2019s Page Protection Layer (PPL)<\/a>, affecting iOS versions spanning roughly iOS 14.x through 16.6.<\/p>\n As noted by independent security researcher\u00a0Costin Raiu\u00a0and highlighted by\u00a0TechCrunch<\/a>, the bird-themed internal names of Coruna\u2019s modules, such as Cassowary and Sparrow, match the naming conventions of L3Harris\u2019s hacking units.<\/p>\n Furthermore, Kaspersky\u2019s custom logo for Operation Triangulation closely resembles the geometric L3Harris logo, subtly hinting at the contractor\u2019s involvement.<\/p>\n While the exact path the exploits took remains murky, the leak highlights the severe risks when nation-state cyberweapons fall into the criminal underground.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post iPhone Exploit Toolkit Used by Russian Spies Likely Originated from U.S. Contractor<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nExploits and Operation Triangulation<\/strong><\/h2>\n