State-developed iPhone hacking tools reused by cybercriminals, Google warns

A suite of sophisticated hacking tools originally deployed in government-linked operations against Apple iPhones is now being used by cybercriminal groups, according to a recent blog by Google.

Google Threat Intelligence Group (GTIG) first identified the exploit kit, known as Coruna, in February 2025 when a surveillance vendor attempted to compromise an individual’s iPhone with spyware on behalf of a government client. Months later, researchers observed the same toolkit being used in a large-scale campaign targeting Ukrainian users, attributed to a Russian espionage group. The company subsequently detected the tools in use by a financially motivated hacker operating from China.

It remains unclear how the exploit kit spread beyond its original customer. Google’s security team warned, however, of what it described as a growing secondary market for “second-hand” exploits, in which previously developed tools are resold or repurposed by criminal actors seeking to monetise them.

The mobile security firm iVerify obtained and reverse-engineered the Coruna toolkit. In a blog post, the company said technical similarities suggested links to tools previously attributed to the United States government. iVerify cautioned that once such capabilities are used more widely, the risk of leakage increases, making it more likely they will be adopted by non-state actors.

According to Google, the Coruna framework chains together 23 separate vulnerabilities, allowing attackers to compromise devices in up to five different ways. Affected devices include iPhone models running iOS 13 through to version 17.2.1, released in December 2023.

Elements of Coruna resemble components used in a previous campaign known as Operation Triangulation, discovered by Kaspersky, the cybersecurity firm in 2023.