The Coruna Leak: How a Government iPhone Exploit Kit Went on an Unsupervised World Tour
History has a sense of humor. In 2017, the Shadow Brokers leaked NSA tools that became EternalBlue that became WannaCry that became billions in ransomware damage. Nine years later, we’re apparently doing this again, except this time it’s iPhones and the leak is apparently running its own side business.
Meet Coruna.
What Got Out
Google’s Threat Intelligence Group dropped the details last week: Coruna is an iOS exploit kit that includes five complete exploit chains built from 23 individual vulnerabilities, targeting every iPhone running iOS 13.0 (September 2019) through iOS 17.2.1 (December 2023). That’s not a narrow attack surface — that’s a four-year window covering hundreds of millions of devices.
The kit is a watering hole weapon. No clicking anything sketchy required. A victim visits a compromised website, a hidden iframe fingerprints their device, identifies their exact iOS version, selects the right exploit chain, and fires. The deobfuscated JavaScript reads like something between a firmware catalog and a career-ending secret. One anchor exploit was CVE-2024-23222 — a WebKit remote code execution bug Apple quietly patched in iOS 17.3 on January 22, 2024, with no external credit. None. Zero. Which is how Apple says “we know exactly who found this and we’re not saying.”
The framework fingerprints the device before delivering the payload, which is the kind of operational care you expect from a customer billing by the target, not a script kiddie billing by the crime.
The Itinerary
Here’s the timeline Google documented, and it is not subtle:
February 2025: Google first catches Coruna in the wild. It’s deployed by a commercial surveillance vendor on behalf of a government customer — the typical “we make the tools, governments use them on journalists and dissidents” arrangement the industry runs on.
Summer 2025: The same JavaScript framework turns up on cdn.uacounter[.]com, loaded as a hidden iframe on compromised Ukrainian websites — industrial equipment suppliers, retail sites, local services, e-commerce. Delivered only to iPhone users in specific geolocations. GTIG attributes this to UNC6353, a suspected Russian espionage group. Ukraine is still a country; Russia is still trying to fix that.
Later 2025: Google retrieves the complete exploit kit when UNC6691 — a financially motivated threat actor out of China — starts running broad-scale campaigns with it. Not targeted espionage. Mass exploitation for money. The Coruna kit has officially graduated from “nation-state intelligence tool” to “commodity criminal tooling.”
Google’s verdict: “an active market for ‘second hand’ zero-day exploits.”
A secondhand market. For government cyberweapons. Let that sink in.
The Attribution Dance
Mobile security firm iVerify obtained and reverse-engineered the full kit and published their findings. Their conclusion: Coruna bears strong similarities to tools previously attributed to the United States government, based on technical overlaps with Operation Triangulation — a 2023 campaign where Kaspersky discovered iPhones belonging to its own employees had been compromised. Russia’s FSB blamed the US government. The US never confirmed or denied. Apple never credited anyone for the corresponding patches.
The Coruna kit contains components that also appeared in Operation Triangulation. Whether that’s the same toolset, a derivative, or a shared underlying framework is unclear. What is clear is that iVerify is saying “we think this came from a US government contractor or agency” in a blog post, and nobody is suing them.
iVerify’s money quote: “The more widespread the use, the more certain a leak will occur. While iVerify has some evidence that this tool is a leaked US government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”
Which is true! And also entirely predictable! And also what the security research community has been saying for a decade while governments continued to hoard zero-days!
Same Song, Different Vulnerability Class
The EternalBlue comparison isn’t just lazy pattern-matching. The structural problem is identical: governments develop and stockpile offensive exploitation capabilities, those capabilities leak (stolen, sold, lost in a procurement disaster, taken by a disgruntled contractor), and then they circulate through a grey market until they become commoditized criminal tools.
EternalBlue went from NSA to Shadow Brokers to WannaCry in about two years. Coruna went from surveillance vendor customer to Russian espionage to Chinese financially-motivated actors in roughly twelve months. The timeline is accelerating.
The “secondhand exploit market” Google is describing isn’t theoretical. It’s operational. Someone — maybe the original vendor, maybe a customer who licensed the tool, maybe someone who compromised the vendor — is selling or has sold Coruna capabilities to multiple unrelated threat actors across at least two countries. That’s a market. That’s a supply chain. That has customer acquisition costs and probably a Slack channel.
What You Should Do
If you’re running iOS 17.2.1 or older, update. Now. Coruna is not effective against current iOS. Google has also added all known Coruna domains to Safe Browsing, so Chrome and other browsers using the API have some coverage.
If you can’t update for some reason, enable Lockdown Mode. It’s aggressive — kills a lot of web features — but it closes the attack surface that watering hole exploits rely on.
If you work in mobile security or threat intelligence: the Coruna kit represents a technical template that will be reused. Google has detailed the obfuscation techniques, the fingerprinting module, and the exploit structure in their write-up. Read it. The JavaScript XOR obfuscation pattern they documented ([16, 22, 0, 69, 22, 17, 23, 12, 6, 17].map(x => {return String.fromCharCode(x ^ 101);})) is distinctive and detectable.
The Actual Problem
Surveillance vendors operate in a legal grey zone by design. They sell to governments. Governments agree to “responsible use.” Tooling leaks anyway — because it always does, because zero-days are valuable, and because the supply chain for offensive cyber tools has all the security discipline of a used car dealership.
The industry response to every one of these events is the same: patch the specific vulnerabilities, add the domains to blocklists, write a report, wait for the next one. Nobody shuts down the market. Nobody creates meaningful accountability for the vendors. Nobody stops governments from stockpiling vulnerabilities that will eventually come out sideways.
Coruna is not a surprise. Coruna is a reminder. The next one is already in the wild somewhere, waiting to complete its world tour.
Full details: Google GTIG write-up | TechCrunch coverage | iVerify blog post