Mar 04, 2026
3 min read
iVerify described the activity as "the first mass attack on iOS."Google first reported the exploit fragments in the latest version of F...
US-made hacking tools available to foreign spies and cybercriminals, study finds
iVerify described the operation as "the first known mass iOS campaign" of its kind.Google said fragments of the exploit first appeared last February and were linked to an anonymous "customer of a monitoring company".
A powerful iPhone hacking toolkit that researchers say may have originated as a US-built facility has emerged in the hands of foreign spy actors and financially motivated criminal groups, according to a new analysis by Google and mobile security firm iVerify.
The tool, called Coruna, contains several exploits that can compromise Apple devices running older versions of iOS.Researchers say the code base appears to be a professionally developed platform, raising concerns that a tool originally designed for covert government use may have escaped controlled channels.
Both iVerify and Google's Threat Intelligence Group identified five exploit chains that exploit more than 20 vulnerabilities in older versions of iOS 13 to 17.2.1 released between September 2019 and December 2023.
"We found a tool that was most likely developed by a nation state ... very likely developed by or for the US government that has made a strange journey around the world through zero-day brokers," iVerify co-founder Rocky Cole said in a webinar on Tuesday.
“It’s not absolutely certain, but I think it’s a good bet that at least the framework and exploits may have originated in the United States,” he said later.iVerify did not contact the NSA or US Cyber Command, which are common users of government-related cyberattacks, and Cole said "they wouldn't say anything anyway."
Hacking tools can be delivered via malicious web content that can fingerprint a target device and deploy custom code to execute code remotely, bypassing basic iOS security measures.Traces of the hacking tools suggest it was first used by Russian intelligence against Ukrainian targets before being adopted by a cybercrime organization to steal cryptocurrency from Chinese-speaking victims.Although Apple has fixed the underlying flaws, older versions of iOS may still be affected by the tools.
According to Google, the Corona fragments first appeared in February of last year in operations related to an unnamed "surveillance company client".Months later, researchers spotted a more mature version deployed by what they believe was a Russian espionage campaign, with exploit code embedded in a custom web analytics tool on Ukrainian websites.
Google and iVerify noted that parts of A Coruña were also used in the 2023 "triangle" campaign, which Russian officials alleged was carried out by the NSA.
iVerify, which described the activity as the "first mass iOS attack" of its kind, said the exploit kit appears to have gone from what could be a country-specific surveillance capability to a widely used criminal tool.In samples recovered from the Chinese-language fraud infrastructure, the company observed implants designed to harvest financial details and cryptocurrency wallet data.
If the exploits are indeed linked to the United States, the case echoes previous examples of sophisticated cyberattack tools developed by Western governments and then falling into unauthorized hands.EternalBlue, a Windows exploit developed by the NSA, was hacked and exposed in 2017, eventually enabling devastating operations like North Korea's WannaCry attack and the Russian-linked NotPetya hack.
The U.S. intelligence and defense agencies maintain secret offensive cyber capabilities that are used to gather foreign intelligence, track enemies, and disrupt enemy networks.These tools often exploit previously unknown software vulnerabilities - known as zero days - to gain unauthorized access to targeted systems.Officials argue that such capabilities are essential to modern national security, though their development poses risks.inherent if the underlying abuse is exposed or reused outside the government's control.
/FCW has requested comment from the NSA and Apple.
What is known for certain is that US achievements have recently been released into the wild.Peter Williams, a former employee of the owners of Trenchant-L3Harris, pleaded guilty in October to at least eight of the company's actions to inform the Russian sector of what is believed to be Operation Zero.No activity was done by the Treasury Department last month.
