US Contractor's iOS Exploit Kit 'Coruna' Leaked to Russia, Now in the Wild

Google security researchers have detailed ‘Coruna,’ a zero-click iOS exploitation framework that chains 23 vulnerabilities to silently install malware via a malicious webpage. The toolkit’s sophistication — five complete exploit chains, millions of dollars in apparent development cost — points to state-level authorship, and code patterns match tooling previously attributed to the US government.

Two former employees of defense contractor L3Harris confirmed to TechCrunch that Coruna originated inside Trenchant, the company’s offensive hacking and surveillance division. The apparent leak vector: an insider who sold the toolkit to Russian intelligence. It’s now being used by both nation-state actors and criminal groups.

The incident marks the first publicly documented case of US government offensive cyber tooling escaping controlled use and proliferating across adversaries and criminals. It raises direct questions about how the US manages and audits access to its most sensitive offensive capabilities — and what happens when a contractor employee decides to monetize them.