Coruna: When Nation-State Spyware Goes Criminal

The Day iPhone Spyware Went Criminal. For the first time, a nation-state-grade iOS exploit kit has fallen into the hands of financially motivated hackers. The good news: the fundamentals still protect you.

A Landmark Moment in Mobile Threat Intelligence

In early March 2026, Google’s Threat Intelligence Group (GTIG) published findings on one of the most significant mobile security discoveries in recent memory. An iOS exploit kit – named “Coruna” by its own developers  had been quietly circulating among threat actors throughout 2025, moving from the hands of a commercial surveillance vendor’s customer, to a suspected Russian state espionage group, and ultimately to a financially motivated Chinese cybercrime operation. The story of how it got there is as important as the kit itself.

Coruna contains 23 exploits organised into five full attack chains, capable of compromising iPhones running iOS 13 through iOS 17.2.1 – a range spanning devices released between September 2019 and December 2023. Google researchers only discovered the kit’s internal name after a threat actor accidentally deployed a debug version of the framework, inadvertently exposing all the exploit internals and their code names. It is an extraordinarily well-engineered piece of software: extensively documented, written in native English, and built around a modular framework that allows different exploit components to be slotted in depending on the target device and iOS version.

Why This Matters: A Historic Threshold Has Been Crossed

To understand the significance of Coruna, you need to understand what it represents rather than just what it does. Until now, the use of nation-state-grade iOS exploit frameworks has been the exclusive province of governments and the commercial surveillance vendors – companies like NSO Group and Intellexa who sell to them. Targeted attacks against journalists, dissidents, and heads of state have been the consistent pattern. The assumption underpinning this model was one of scarcity: these tools are expensive, carefully controlled, and deliberately kept away from the broader criminal ecosystem.

Coruna breaks that assumption. By late 2025, the same exploit framework that had been used in precision espionage operations against Ukrainian targets was being deployed wholesale across a network of fake Chinese cryptocurrency and finance websites, targeting anyone who happened to visit them on a vulnerable iPhone. The final payload – a piece of malware dubbed PlasmaLoader – hooked into 18 cryptocurrency wallet applications including MetaMask, Phantom, and Exodus, scanned Apple Notes for seed phrases and backup credentials, and parsed photos for QR codes. This is not surveillance. This is industrialised financial theft, powered by tools previously reserved for government intelligence operations.

Security researchers have characterised this as the first observed mass exploitation of iOS devices by a financially motivated criminal group using nation-state-grade capabilities. The parallel that keeps being drawn is to EternalBlue – the NSA-developed exploit leaked by the Shadow Brokers in 2017, which subsequently powered the WannaCry and NotPetya ransomware attacks that caused billions of dollars in global damage. The concern is the same: once these capabilities escape their original operational context, there is no putting them back.

Who Built This? The Trenchant and Azimuth Thread

The attribution picture around Coruna is speculative but the speculation comes from credible quarters. Two threads have emerged from the security research community, both pointing toward the Western – and specifically US-affiliated – offensive security industry.

The first thread concerns Azimuth Security, an Australian firm that has been publicly linked to developing iOS exploits for US government customers. Researchers have noted that the internal code names used for Coruna’s browser-level remote code execution exploits are all bird names – Cassowary, Bluebird, Terror Bird, Jacurutu – while the privilege escalation and kernel exploits use physics terminology: Neutron, Photon, Quark, Helium. The Cassowary is a bird native to Australia and New Guinea. This naming pattern is consistent with what has historically been attributed to Azimuth, which notably developed the “Condor” exploit used by the FBI to unlock the San Bernardino shooter’s iPhone in 2016. The two distinct naming conventions also suggest the browser exploits and the kernel exploits may have originated from different development teams, assembled into a single framework by a third party.

The second thread concerns L3 Trenchant (formerly part of L3 Technologies), a US defence contractor that operated an offensive cyber capability development unit. In 2025, a former Trenchant employee named Peter Williams was prosecuted for allegedly selling exploits to Russian buyers – an event that the security community has widely described as among the most damaging insider leaks in the history of the US cyber defence industrial base. The timeline is suggestive: the iOS vulnerabilities in Coruna target versions 17.x, with some components compiled against SDK 18.x, which aligns with the window in which the Williams leak is believed to have occurred. The core framework carries older build artefacts dating to around iOS 16, while later modules were clearly compiled in a different, more recent build environment – consistent with a kit whose foundations were laid years ago but which was being actively extended right up to the point it leaked.

Neither Azimuth nor L3 Trenchant has commented publicly on these assessments, and no definitive technical proof has been published establishing a direct code lineage. Kaspersky’s research team has explicitly stated they see no evidence of actual code reuse sufficient to support attribution to the same authors as Operation Triangulation. This remains informed speculation, not established fact.

What Is the Actual Threat to Enterprise?

For enterprise security teams, the instinct when a story like this breaks is to escalate. Before doing so, it is worth applying some sober analysis to the actual risk profile.

The first and most important point is that every exploit in the Coruna kit has a CVE and has been patched. There are no zero-days in the publicly documented version of this framework. The vulnerabilities span iOS 13 through 17.2.1, meaning any device running iOS 17.3 or later is not vulnerable to this specific kit. Apple addressed the last of the exploitable versions in January 2024.

The second point is that enterprise mobile device management policies already provide substantial protection. Mature enterprise mobility programmes enforce minimum iOS version requirements and flag or block non-compliant devices. Devices that can no longer receive iOS updates – either due to hardware age or end-of-support status – are typically subject to mandatory replacement cycles. In practice, this means the population of enterprise-managed iPhones running iOS 17.2.1 or below should be very small, and shrinking.

The third point is that the delivery mechanism requires user interaction with a malicious website. Coruna is delivered via compromised or fake websites, relying on users visiting those sites from an iPhone. Standard web filtering and corporate browsing policies significantly reduce this exposure vector.

The real-world enterprise threat level from Coruna as currently documented is therefore low, provided basic hygiene is in place: devices on current iOS, web filtering active, and end-of-life devices retired.

The Bigger Picture

The low immediate risk to enterprise should not become an excuse for complacency. The significance of Coruna is not the specific CVEs it exploits – it is the demonstration that nation-state-grade iOS exploitation frameworks can now escape their original context and reach criminal actors within a matter of months. The framework itself, its modular architecture, its hooking infrastructure, its delivery mechanism – all of that engineering remains intact and available. New exploits can be dropped in as new vulnerabilities are discovered. The question for security teams is not whether this specific kit poses a threat today. It is whether your mobile security posture is built to detect and respond when the next iteration arrives.

—
This post was prepared by the Corrata security research team.