Last week we reported on a hacking campaign discovered by Google dubbed "Coruna." It was designed to quietly hack into vulnerable iPhone devices (from iOS 13.0 to iOS 17.2.1). Once it is set off, it bypasses built-in security guardrails to gain access to a device and install malicious payloads without the knowledge of the user.
According to a new report released by TechCrunch yesterday, Coruna was likely in part developed by Trenchant, the hacking and surveillance tech division of American defense contractor L3Harris. TechCrunch said in its report that it spoke to two former employees of the company who confirmed that "Coruna was definitely an internal name of a component" at L3Harris. The person even said that the "technical details" of the L3Harris component are like some of Google's research.
TechCrunch reports that the other employee also confirmed that some details of Coruna released by Google research were part of a broader toolkit used internally by the company.
Google researchers discovered that the company eventually employed the toolkit in multiple campaigns. One operation involved Russian government hackers targeting a small group of Ukrainian victims through compromised websites. Later, Chinese cybercriminals used parts of the same toolkit in broader attacks aimed at stealing money and cryptocurrency, which included phishing schemes and malware distribution to exploit vulnerabilities in financial systems.
It scanned images for QR codes, searched text for crypto seed phrases or keywords such as “backup phrase,” and sent that information to remote command-and-control servers. In some cases, it also accessed emails and other sensitive data.
Mobile security firm iVerify estimates that the for-profit campaign alone may have compromised roughly 42,000 devices, based on traffic to the attackers’ servers.
A former Trenchant executive provided one possible explanation for the origin of Coruna. In 2025, Peter Williams, an Australian citizen who managed parts of the hacking division, pleaded guilty to stealing several cyber-exploitation tools and selling them to Operation Zero, a Russian broker that buys and sells so-called zero-day exploits.
U.S. prosecutors said Williams had “full access” to internal networks and ultimately sold eight hacking tools for about $1.3 million. He was sentenced to seven years in prison. Officials warned that the stolen software could potentially allow attackers to access “millions of computers and devices around the world.” =
Security researchers now believe that leak may have helped push Coruna into a much wider ecosystem of brokers, governments, and cybercriminal groups, which could facilitate further cyberattacks and exploitation of vulnerable systems globally.
Ogbonda Chivumnovu
