Google Threat Intelligence Group recently identified a powerful exploit kit targeting Apple iPhones running iOS 13 through 17.2.1. The kit, named Coruna by its developers, contained five full iOS exploit chains and a total of 23 exploits. What makes Coruna matter extends beyond its technical sophistication. Within months of its discovery, the toolkit moved through the hands of commercial surveillance vendors, Russian state-sponsored operatives, and Chinese cybercriminals. That journey reveals something troubling about the modern threat landscape: the barrier between government-grade espionage tools and mass-scale criminal operations has all but vanished.
The real controversy centres on authorship. iVerify, a mobile security company, suggested Coruna appears to have been built on the same foundations as known US government hacking tools. Rocky Cole, iVerify's cofounder, went further, telling Wired that the sophistication and cost of development suggested US involvement. The kicker: two of Coruna's exploits (CVE-2023-32434 and CVE-2023-38606, codenamed Photon and Gallium) appeared previously in Operation Triangulation, a 2023 campaign that operated against iOS devices using a chain of four zero-day vulnerabilities and was first disclosed in June 2023. Operation Triangulation was publicized by Kaspersky in 2023, with the FSB alleging at the time that it was a National Security Agency operation.
Enter Kaspersky's pushback. The company stated they see no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors. Kaspersky's Boris Larin made a technical argument with real merit. CVE-2023-38606 exploited a previously undocumented feature of Apple's own chips to bypass security protections at the hardware level. A vulnerability is not a component. Both CVEs now have publicly available implementations, so any sufficiently skilled team could write their own exploits without ever seeing the Triangulation code.
This matters because the attribution debate reveals something worth thinking about. Consider the incentives: a state-sponsored operation that becomes public knowledge loses operational value. Circulating the same exploits through multiple threat actors serves no strategic interest if you still need secrecy. Coruna initially appeared in targeted surveillance operations, later in watering-hole attacks against Ukrainian users, and eventually in financially motivated campaigns targeting cryptocurrency users, illustrating how nation-state-grade mobile exploitation tools can proliferate into broader criminal ecosystems.
The harder truth is that we may never know who built Coruna. Attribution in cyberspace remains murky even when governments and companies cooperate. What we do know matters more: researchers have observed Coruna being used by unique groups for very different means, suggesting there may be an active, underexplored market for second-hand zero-days catering to the most well-resourced buyers. Whether the tool came from Langley, Beijing, or somewhere else entirely, the proliferation pattern is identical. Once a toolkit becomes powerful enough to attract commercial and criminal interest, it escapes containment.
The pragmatic response isn't to wait for perfect attribution. Coruna is not effective against the latest versions of iOS. The easiest defence is to ensure your iPhone is running iOS 17.3 or newer. For Australians with older devices, the exploit kit checks whether a device has Lockdown Mode enabled and aborts the process if so. Simple steps work. Whether the threat came from a Five Eyes partner or a rival power, the mitigation remains the same.