Coruna iOS Exploit Kit Likely Traced to L3Harris Trenchant
Coruna iOS exploit kit likely traced to L3Harris Trenchant
Executive Summary
Google Threat Intelligence Group says the Coruna iPhone exploit framework was used in 2025 first by a customer of an unnamed surveillance vendor, then by UNC6353, a suspected Russian espionage actor targeting Ukrainians through compromised websites, and later by UNC6691, a China-based financially motivated actor running broader scams. Separately, TechCrunch reported that two former employees said Coruna components were likely developed inside L3Harris Trenchant, while iVerify said the best current explanation points to a company selling to the U.S. government. That alleged origin is not officially confirmed by Google or L3Harris, but the overlap is serious enough that defenders should treat Coruna as a case study in how zero-day capabilities can leak, spread, and be repurposed across very different threat actors.
What happened?
Timeline at a glance
- February 2025: Google says it captured part of an iOS exploit chain used by a customer of a surveillance vendor.
- Summer 2025: the same framework appeared on
cdn.uacounter[.]com, delivered via hidden iframes on compromised Ukrainian websites and served selectively to iPhone users in specific geographies. - Late 2025: Google found the same exploit kit on a large cluster of fake Chinese finance and crypto sites, where it was used much more broadly.
- March 2026: Google published technical details on Coruna, and TechCrunch followed with reporting that former employees linked parts of the toolkit to L3Harris Trenchant.
What Google actually confirmed
Google’s reporting is the strongest public technical source here. According to GTIG, Coruna includes five full iOS exploit chains and 23 exploits targeting iPhones from iOS 13.0 through 17.2.1. The framework fingerprints the device, selects a matching Safari/WebKit remote code execution path, applies mitigation bypasses, then loads follow-on components for privilege escalation and post-exploitation.
Google also said Coruna was used in three distinct settings:
- Highly targeted operations by a customer of a surveillance vendor.
- Watering-hole style operations against Ukrainian users by UNC6353, which Google describes as a suspected Russian espionage group.
- Broad criminal campaigns by UNC6691, a financially motivated actor operating from China.
That progression matters more than any single exploit name. It shows a spyware-grade exploit framework moving from restricted targeting to malware operations with wider victim exposure.
Why the L3Harris / Trenchant angle matters
TechCrunch’s reporting does not prove formal attribution, but it adds important context. Two former employees told TechCrunch that Coruna was, at least in part, developed by Trenchant, L3Harris’s offensive cyber division. One said that “Coruna was definitely an internal name of a component,” while another confirmed that some of the details in Google’s publication matched Trenchant-developed tooling.
That reporting lines up with two other public signals:
- iVerify said its independent analysis points to a company that likely sold the framework to the U.S. government.
- The U.S. Treasury said sanctioned Russian broker Operation Zero acquired at least eight proprietary cyber tools stolen from a U.S. company and sold them to at least one unauthorized user.
By itself, Treasury did not name Coruna. But the timeline is hard to ignore. TechCrunch previously reported that former Trenchant manager Peter Williams was jailed after admitting he sold stolen hacking tools to Operation Zero. If Coruna or adjacent modules were among the capabilities that escaped controlled handling, the broader lesson is ugly but simple: offensive cyber tools do not stay “exclusive” for long.
What Coruna appears to do technically
Google’s write-up describes Coruna as a modular exploit kit with unusually mature engineering. Notable features include:
- device fingerprinting to choose the right exploit chain
- Safari/WebKit remote code execution followed by PAC bypass and kernel-level steps
- encrypted blobs disguised as
.min.jsresources - a binary loader and compressed payload packaging
- post-exploitation components that steal financial and wallet-related data
- fallback command-and-control logic and reusable implant modules
Google also said some Coruna components reused vulnerabilities associated with Operation Triangulation, including the exploit modules called Photon and Gallium. That does not, on its own, prove the same operator built both systems. But it does underline how advanced exploit techniques can be re-used after details become available.
Why defenders should care even if attribution stays disputed
The core story is not just “was this really Trenchant?” The operational lesson is that once a high-end exploit framework escapes its intended boundary, it can move across:
- commercial surveillance customers
- state-linked espionage actors
- criminal operators chasing money or cryptocurrency
That kind of spread compresses the distance between boutique spyware and mainstream crimeware. It also raises the risk that advanced persistent threat tradecraft will increasingly show up in investigations that initially look like fraud, mobile theft, or consumer compromise.
Who is most at risk?
Highest-risk groups
- Ukrainian civil society, government-adjacent, media, and regional targets exposed to compromised local websites
- users lured to fake Chinese finance, exchange, or crypto sites from an iPhone
- executives, diplomats, journalists, and security researchers who remain on older iOS builds
- organizations with bring-your-own-device exposure but limited mobile telemetry
Exposure conditions
According to Google and iVerify, Coruna was effective against devices running iOS 13 through 17.2.1. Google says the kit is not effective against the latest iOS version available at publication time. That means patch lag is the main exposure amplifier.
Detection and response guidance
Immediate actions
- identify iPhones that remained on iOS 17.2.1 or older during the 2025–2026 exposure window
- prioritize users who visited Ukrainian local-service sites, industrial or retail sites later identified as compromised, or suspicious finance/crypto pages
- review mobile network telemetry for unusual requests tied to exploit delivery pages, hidden iframe loads, and odd
.min.jsresources - collect forensic artifacts from suspected devices before wiping or replacing them
- enable Lockdown Mode for users at elevated risk where business impact is acceptable
What to hunt for
- evidence of exploit staging through Safari/WebKit immediately followed by abnormal native process behavior
- suspicious network traffic from processes that should not normally talk to remote infrastructure in that pattern
- signs of wallet, notes, QR-code, or financial-data access inconsistent with normal user activity
- repeat visits to lure domains from devices that were not fully updated
Strategic controls
- shorten mobile patch windows for executives and high-risk users
- treat mobile browser exploitation as a mainstream enterprise risk, not just a niche espionage problem
- expand threat intelligence monitoring to include mobile exploit-kit infrastructure, not only desktop malware and phishing
- create a playbook for rapid triage of suspicious iPhone compromise, including backup preservation and mobile forensics escalation
Our assessment
Coruna is one of the clearest recent examples of exploit-capability proliferation. Google established the technical chain of custody for how the framework showed up across targeted, state-linked, and criminal use cases. TechCrunch and iVerify added credible but still incomplete evidence that the toolkit may have originated inside L3Harris Trenchant or a closely related Five Eyes-aligned development context.
That distinction matters legally and politically. But operationally, the message is already clear: if a modern iOS exploit kit can move from a tightly controlled environment into Russian espionage against Ukraine and then into criminal monetization, defenders should stop assuming that “premium” mobile exploitation remains rare, contained, or someone else’s problem.
Did Google say L3Harris built Coruna?
No. Google described how Coruna was used and said it first saw it with a customer of a surveillance vendor. The L3Harris/Trenchant angle comes from TechCrunch reporting and iVerify’s assessment, not from Google directly.
Is the attribution confirmed?
Not fully. The current public picture supports likely or credible linkage, not definitive public attribution.
Who used Coruna?
Google said it saw the framework used by a surveillance-vendor customer, then by suspected Russian espionage actor UNC6353 against Ukrainians, and later by UNC6691 in broader criminal campaigns.
What versions were at risk?
Google said Coruna targeted iPhones running iOS 13.0 through 17.2.1.
What should organizations do first?
Patch iPhones aggressively, identify users who may have visited relevant lure sites, and escalate suspected compromises to mobile incident response rather than treating them as routine fraud cases.
References
- Google Threat Intelligence Group — Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
- TechCrunch — US military contractor likely built iPhone hacking tools used by Russian spies in Ukraine
- iVerify — Coruna: Inside the Nation-State-Grade iOS Exploit Kit We've Been Tracking
- U.S. Treasury — Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools
- TechCrunch — Former L3Harris Trenchant boss jailed for selling hacking tools to Russian broker
Published: 2026-03-11 Author: Invaders Cybersecurity Classification: Public / TLP:CLEAR Reading Time: 6 minutes