America's iPhone Weapons Are Loose

CybrPulse

03 Mar 2026 — 7 min read

Published: March 3, 2026

In 2017, a hacking tool called EternalBlue leaked from the National Security Agency and infected the world. WannaCry shut down hospitals. NotPetya cost businesses $10 billion. The damage was staggering, and it all started with one US government weapon that got out.

Researchers say the same thing just happened to iOS.

On Tuesday, Google's Threat Intelligence Group and mobile security firm iVerify published research describing "Coruna" — a sophisticated iPhone hacking toolkit that includes five complete exploit chains and 23 distinct vulnerabilities targeting iOS 13 through 17.2.1. The kit was built by someone with serious money, serious skills, and code comments written in native English. It bears the hallmarks of a US government capability. And it's now in the hands of Russian spies, Chinese criminals, and anyone else who can afford second-hand zero-days.

"This is the EternalBlue moment for mobile malware," said Rocky Cole, co-founder of iVerify. Cole is a former NSA analyst. He knows what US government tools look like. "The genie is out of the bottle."

What Coruna Is

Coruna is not the kind of malware that shows up on a phishing email. It's a watering hole weapon — code that sits invisibly on a website and executes when you visit it. Safari on iOS loads the page. Coruna fingerprints your device model and iOS version in the background, selects the appropriate exploit chain, and starts the attack. You see nothing. You do nothing wrong. You just visit a website.

The attack chain is engineered at every step:

WebKit remote code execution to break out of the browser sandbox
Pointer Authentication Code (PAC) bypass to defeat Apple's memory protection
Sandbox escape to reach the OS
Privilege escalation to gain kernel access
Page Protection Layer (PPL) bypass to establish persistence

Five complete chains, covering every iPhone model from 2019 through late 2023. Each component has its own internal code name — WebKit bugs named buffout, jacurutu, bluebird, terrorbird, cassowary; privilege escalation exploits named Photon, Parallax, Gruber; PPL bypasses named Quark, Gallium, Sparrow, Rocket. The naming convention is consistent. The engineering is professional. Google notes the code contains "extensive documentation, including docstrings and comments authored in native English" with some of the most advanced exploits using "non-public exploitation techniques and mitigation bypasses" that haven't been seen elsewhere.

iVerify's Spencer Parker called the underlying code "impressively polished and modular." Then he noted that the cryptocurrency-stealing malware layered on top of it by the Chinese criminals who eventually deployed it was comparatively "poorly written." The thieves had acquired a Ferrari and installed a broken stereo.

The Journey

The trail starts in February 2025. Google's researchers spotted a partial Coruna exploit chain being deployed by what they describe as "a customer of a surveillance company." They won't name the company or the customer. The infection used CVE-2024-23222, a WebKit vulnerability Apple had quietly patched in January 2024 without crediting any external researchers — itself a hint that Apple knew about this one through sensitive channels.

Five months later, the same JavaScript framework appeared on Ukrainian websites. Not a handful — many compromised sites, ranging from industrial equipment vendors to retail tools to local services. The code was embedded as a hidden iFrame and delivered only to iOS users from specific geolocations. The group behind it, which Google tracks as UNC6353, is a suspected Russian espionage operation. The intended targets were Ukrainians visiting ordinary websites.

At the end of 2025, Coruna appeared for the third time, now on a massive network of fake Chinese finance and cryptocurrency websites. The intent wasn't espionage. The group Google tracks as UNC6691 — financially motivated, operating from China — had obtained the complete exploit kit and repurposed it for theft. They added PLASMAGRID, a payload that injects into iOS's powerd daemon (a root process), searches for BIP39 cryptocurrency seed phrases, and hooks into 18 different wallet applications including MetaMask, Phantom, Trust Wallet, and Exodus to drain funds. The implant also scans photos and Apple Memos for text matching bank account keywords.

Across these three campaigns — surveillance vendor, Russian espionage, Chinese financial crime — the core Coruna toolkit stayed consistent. The same exploits. The same JavaScript obfuscation techniques. The same underlying framework.

iVerify counted roughly 42,000 devices infected through the Chinese criminal campaign alone. That's the floor, not the ceiling. The Ukrainian campaign victim count is unknown.

Where It Came From

Neither Google nor iVerify makes a definitive attribution. They don't have to.

iVerify states it has "some evidence that this tool is a leaked U.S. government framework." Cole lists the indicators: professionally engineered code that "took millions of dollars to develop," a consistent single-author architecture, native English comments with what he describes as the "insider jokes and insider remarks" you'd see from US defense industrial base coders. "It looks like it was written as a whole," he told WIRED. "It doesn't look like it was pieced together."

The most significant technical clue is two exploits in the Coruna kit — Photon (CVE-2023-32434) and Gallium (CVE-2023-38606) — that also appeared in Operation Triangulation, the iOS attack campaign that Kaspersky discovered targeting its own employees in 2023. The Russian government attributed Operation Triangulation to the NSA and claimed it was used to surveil Russian officials through Apple devices. The NSA never commented. Apple patched the vulnerabilities.

If Coruna and Operation Triangulation share common code, the US government origin becomes considerably less theoretical.

How It Got Out

The question of how a US government capability ends up running on Chinese scam websites has one obvious answer that landed in federal court last month.

Peter Williams, 39, was the general manager of Trenchant, the cyber division of US defense contractor L3Harris. Trenchant develops digital surveillance tools for US intelligence agencies and Five Eyes partners — the US, UK, Australia, Canada, and New Zealand. From 2022 to 2025, Williams sold eight zero-day exploits to Operation Zero, a Russian zero-day broker based in St. Petersburg.

He received millions in cryptocurrency. He used it to fund what federal prosecutors described as a luxury lifestyle.

Williams pleaded guilty to two counts of theft of trade secrets. He was sentenced on February 25, 2026 to 87 months in federal prison. The US Treasury Department simultaneously sanctioned Operation Zero's owner, Sergey Zelenyuk, along with five associated individuals and entities, calling this the "first-ever sanctions" targeting an exploit broker for acquiring and distributing cyber tools harmful to national security.

The sentencing memo notes Williams specifically sold tools that Trenchant had developed for the intelligence community. What those tools targeted — what operating systems, what devices — is not specified in public court documents. But the timeline matches. Trenchant operates in the Five Eyes ecosystem. Operation Zero has the financial resources and motivation to resell.

Cole offers the straightforward assessment: "These zero-day and exploit brokers tend to be unscrupulous. They sell to the highest bidder and they double dip. Many don't have exclusivity arrangements. That's very likely what happened here. One of these tools ended up in the hands of a non-Western exploit broker, and they sold it to whoever was willing to pay."

What the Government Built This For

There's a certain irony that the US government spent years arguing it needed to stockpile iOS zero-days for national security purposes — and that the result is a world where Russian spies and Chinese crypto thieves have professional-grade iPhone hacking tools.

The doctrine is called NOBUS: "Nobody But Us." The premise is that certain vulnerabilities and exploitation capabilities are so sophisticated that only the US government can develop and use them, so it's safe to hold them without disclosing them to vendors for patching. The logic has always been questionable. The Coruna story is what "NOBUS fails" looks like in practice.

The Biden administration issued an executive order in March 2023 prohibiting US government use of commercial spyware that posed national security risks. State Department officials participated in the Pall Mall Process, an international effort to build norms around commercial cyber intrusion capabilities. Good intentions, late timing.

Meanwhile, Trenchant's tools were already in transit to Moscow.

What This Means for iPhone Users

Coruna doesn't work against iOS 18 or iOS 26. The specific exploit chains target iOS 13 through 17.2.1, covering devices from 2019 through late 2023. If you've kept your iPhone updated, you're not vulnerable to these specific techniques.

The word "specific" is doing a lot of work in that sentence.

Coruna demonstrates that sophisticated, professionally engineered iOS zero-day chains exist. They proliferate. They end up in criminal hands. When researchers find them, they're already deployed at scale — 42,000 devices before anyone knew it was happening.

iVerify also notes that Coruna checks for Apple's Lockdown Mode and abandons the attack if it detects it. That's the most direct signal of how capable this kit was designed to be: it respects Apple's highest security setting because the authors knew exactly how it worked and chose not to fight it directly.

For the vast majority of users, keep iOS updated and enable Lockdown Mode if you're a high-risk target — journalist, activist, executive, government official. For everyone else, the relevant conclusion is simpler: the assumption that iPhone security is somehow above the nation-state threat landscape was always partly fiction. Coruna confirms it.

The Second-Hand Zero-Day Market

The deeper problem Coruna exposes isn't any specific vulnerability. It's a market structure.

Nation-state intelligence agencies pay tens of millions of dollars for iOS zero-days. Contractors develop them. Governments classify them. At some point, a Williams-type figure decides the Russian broker will pay more than the clearance is worth. Or a surveillance vendor's customer loses control of their toolkit. Or an internal threat actor walks out the door with eight exploits on a thumb drive.

Google described this dynamic directly: "an active market for 'second hand' zero-day exploits." Once a sophisticated capability enters that secondary market, attribution becomes nearly impossible and containment is fiction. Russia buys it, uses it against Ukraine, leaves traces. The traces get picked up. Financially motivated actors adapt the framework for crypto theft.

The original authors — wherever they worked, whatever government commissioned their work — have no control over any of this.

EternalBlue was the proof of concept for Windows. Coruna is the proof of concept for iOS. The lesson is the same one the NSA failed to learn in 2017: when you build a weapon powerful enough to be worth stealing, assume it will be stolen.

Technical Details:

Exploit kit: Coruna (named by developers internally)
Implant: PLASMAGRID (PlasmaLoader stager, PlasmaGrid payload)
iOS versions affected: 13.0 – 17.2.1 (September 2019 – December 2023)
CVEs confirmed: CVE-2024-23222, CVE-2022-48503, CVE-2023-43000, CVE-2023-32409, CVE-2023-41974, CVE-2023-32434, CVE-2023-38606, CVE-2024-23225, CVE-2024-23296, CVE-2020-27932, CVE-2020-27950, CVE-2021-30952
Confirmed victims: 42,000+ (UNC6691 financial campaign alone)
Fixed in: iOS 26 / iOS 18.x
Mitigation: Update iOS, enable Lockdown Mode for high-risk users

Related Cases: