An attack tool used in a large-scale hacking operation targeting iPhone users in Ukraine and China has been revealed to have likely come from an internal project of the US military contractor L3Harris. The tool was originally customized for Western intelligence agencies, but eventually fell into the hands of Russian intelligence agencies and Chinese cybercriminal groups, triggering heightened concern about the risk of leakage of military-industrial cyber weapons.
Google disclosed last week that it had discovered a sophisticated iPhone attack toolkit used in multiple rounds of global attacks in 2025. The toolkit, named "Coruna" by its original developers, consists of 23 different components and was first used by an unnamed government client in "highly targeted operations," then by Russian government-backed spies against a small number of Ukrainian targets, and eventually by Chinese cybercriminals in a large-scale operation to steal funds and cryptocurrency. An independent analysis by mobile security company iVerify determined that the tool was likely originally developed by a company that sells products to the U.S. government.
Two former employees who worked at Trenchant, the hacking and surveillance technology arm of L3Harris, confirmed to the media that at least some components of Coruna were developed by Trenchant, and they both had direct contact with iPhone attack tools developed by the company. The two people, who requested anonymity, said that "Coruna is indeed the code name of an internal component" and said that the technical details disclosed by Google were "very familiar." One of the former employees said Coruna was one of several components and exploits included in Trenchant's overall toolkit.
Public information shows that L3Harris sells hacking and surveillance tools through Trenchant to the U.S. government and its "Five Eyes" allies, with customers limited to intelligence agencies in the United States, the United Kingdom, Canada, Australia and New Zealand. Under the premise that customers are highly restricted, Coruna is considered to be most likely first purchased and used by the intelligence agency of one of the countries, and then leaked out in some way and entered the hands of other actors. It's unclear exactly how much code in the exposed Coruna toolset comes directly from L3Harris Trenchant.
Coruna’s transnational proliferation trajectory is highly similar to the case of former Trenchant general manager Peter Williams leaking cyber weapons. According to public records, between 2022 and mid-2025, Williams sold eight Trenchant attack tools to the Russian company Operation Zero, earning approximately $1.3 million. The U.S. government accused him of using "full access" to the Trenchant intranet to steal the tools that could attack "millions of computers and devices around the world," and was deemed a "betrayal" of the United States and its allies. Williams was sentenced to seven years in prison in February, and Operation Zero was sanctioned by the U.S. Treasury Department.
The U.S. Treasury Department disclosed that Operation Zero claimed to only work with the Russian government and domestic companies, but officials determined that it sold the tools stolen by Williams to at least "one unauthorized user." Google's investigation revealed that the Russian espionage organization UNC6353 obtained Coruna through unknown channels and implanted it into compromised Ukrainian websites to target users from specific geographical locations who use iPhones to access these websites. Some analysts believe that after Operation Zero resells it to Russian officials, it may continue to resell the tools to other brokers, countries, or even directly to cybercriminal groups. The U.S. indictment also mentioned that members of the ransomware gang Trickbot collaborated with Operation Zero, linking the broker to a network of hackers seeking financial gain.
According to U.S. prosecutors, Williams recognized code he wrote and sold to Operation Zero, which later turned up in the hands of a South Korean middleman. This also provides a possible path for how Coruna ended up flowing to Chinese hackers: in multiple rounds of resale and code reuse, the tool gradually spread from the government intelligence circle to the broader hacker ecosystem.
Google researchers pointed out that two specific exploit components in Coruna, named "Photon" and "Gallium", were used as zero-day vulnerability weapons in a sophisticated attack operation called "Operation Triangulation" ("Triangle Operation"), which is believed to be targeting iPhone users in Russia. Kaspersky Lab first disclosed Operation Triangle back in 2023. iVerify co-founder Rocky Cole said that based on the current public information, the "most reasonable explanation" is that Coruna's original developer and customer are Trenchant and the US government respectively, but he emphasized that this judgment is not yet "absolutely conclusive."
Cole's judgment is based on three points: first, the timeline of Coruna's use highly overlaps with the Williams leak case; second, the structure of the three major modules in Coruna, "Plasma", "Photon" and "Gallium", is very similar to the modules observed in "Operation Triangle"; third, Coruna reuses some attack codes that have been used in that operation. He also revealed that information from "people close to the defense community" claimed that the "Plasma" module had also been used in "Operation Triangle", but there is currently no public evidence to support this. Cole himself once worked for the National Security Agency (NSA).
Technical analysis by Google and iVerify shows that Coruna is designed to attack iPhones running iOS 13 to iOS 17.2.1, covering a series of system versions released from September 2019 to December 2023. This time span also coincides with the timeline of Williams’ leaked tools and the discovery of Operation Triangle. A former Trenchant employee recalled that when Kaspersky first disclosed "Operation Triangle" in 2023, many people within the company believed that at least one of the captured zero-day vulnerabilities "came from us" and may have been "stripped" from the overall project that included Coruna and put into use.
Security researcher Costin Raiu also pointed out on social platforms that many components of the Coruna tool are named after birds, such as Cassowary, Terrorbird, Bluebird, Jacurutu, Sparrow, etc., which is implicitly related to Trenchant's technical heritage. As early as 2021, the Washington Post reported that Azimuth, a security company that was later acquired by L3Harris and merged into Trenchant, sold an iPhone cracking tool called Condor to the FBI, which was used to unlock the iPhone in the famous San Bernardino shooting.
After the "Triangle Operation" was exposed, Russia's Federal Security Service (FSB) accused the US National Security Agency of using the tool to hack into "thousands of iPhones" in Russia, focusing on targets such as diplomats. Kaspersky said at the time that it was not aware of the details of the FSB accusations, but pointed out that the "compromise indicators" disclosed by Russia's National Cyber Incident Coordination Center (NCCCI) were consistent with evidence that Kaspersky had previously identified. However, Kaspersky security researcher Boris Larin said that even after extensive research, "Operation Triangle" still cannot be attributed to any known advanced persistent threat (APT) group or vulnerability development company.
Larin explained that the reason why Google associated Coruna with Operation Triangle was because both exploited the same vulnerabilities, Photon and Gallium. However, sharing the vulnerability alone is not enough to complete attribution, because the details of these two vulnerabilities have been public for a long time, and any party may develop their own attack chain based on this. He emphasized that these two common vulnerabilities are "just the tip of the iceberg." It is worth mentioning that although Kaspersky has never publicly accused the U.S. government of being behind Operation Triangle, the Apple logo composed of multiple triangles designed by the company for this operation is visually similar to the brand logo of L3Harris. Some people believe that this is a "visual hint" technique commonly used by Kaspersky.
Kaspersky's past practices seem to confirm this speculation. In 2014, the company disclosed a high-level government hacker group called "Careto" (meaning "Mask"). It only mentioned that the attackers were in Spanish, but the mask illustration used in the report added the red and yellow colors of the Spanish flag, bull horns, nose rings, castanets and other elements, which was considered to imply that the attackers were related to the Spanish government. As later reports quoted Kaspersky insiders as saying, the research team privately believed that there was "no doubt" that Careto was an operation led by the Spanish government.
The controversy surrounding Coruna has also prompted continued media tracking. Cybersecurity reporter Patrick Gray said on this week's podcast "Risky Business" that Williams sold Operation Zero exactly the same attack framework used in "Operation Triangle" based on "fragmentary intelligence" that he had and was confident about. Currently, Apple, Google, Kaspersky and Operation Zero have not responded publicly to this issue.