Kaspersky dismisses claims Coruna iPhone exploit kit is connected to NSA-linked operation
Russian cybersecurity outfit Kaspersky is waving away claims that an iPhone exploit kit recently uncovered by Google was developed by the same people who were behind a group of zero-days that allegedly compromised thousands of Russian diplomats in a 2023 campaign.
After Google's Threat Intelligence Group (GTIG) published its findings on the Coruna exploit kit this week, some experts were quick to point fingers at the National Security Agency, suggesting it was behind the attacks seen in Ukraine and China over the past 12 months.
While GTIG made no such suggestions itself, the crossover between some of the same vulnerabilities used in 2023's Operation Triangulation, which Moscow alleged was a National Security Agency job, and those that comprise Coruna, raised questions about how involved the US was in the development and/or use of the exploit kit.
Rocky Cole, cofounder of iVerify, told Wired after reviewing Coruna's code that he believed the US may have been behind Coruna's development.
"It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government," he said.
"This is the first example we've seen of very likely US government tools – based on what the code is telling us – spinning out of control and being used by both our adversaries and cybercriminal groups."
However, Boris Larin, principal security researcher at Kaspersky GReAT, told The Register on Wednesday: "We see no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors."
What is Coruna?
In a report published on Tuesday, Google said that around a year ago it identified a highly sophisticated and previously unknown iPhone exploit kit, perhaps used by commercial spyware vendors and/or state-sponsored hackers, that could bork a device if a user visited a website.
Internally known as Coruna, the kit comprises 23 distinct vulnerabilities that target iOS versions 13-17.2.1, released in September 2019 and December 2023 respectively, which in turn are used in five unique full exploit chains.
The company first started tracking Coruna in February 2025, after capturing "parts of an iOS exploit chain used by a customer of a surveillance company."
Through various campaigns since then, GTIG learned more about its makeup, with the most advanced exploits using non-public techniques bundled into novel JavaScript frameworks to pwn iPhones.
Among those various campaigns, researchers said they had seen Coruna being used by unique groups for very different means, and because of this it suggests there may be an active, underexplored market for second-hand zero-days catering to the most well-resourced buyers.
Suggesting some degree of Russian use, in summer 2025 GTIG saw some campaigns targeting Ukrainian websites related to a range of matters such as industrial equipment, local services, and ecommerce.
The JavaScript framework was hosted on a website loaded as a hidden iFrame on these compromised websites, and only delivered to selected iPhone users from a "specific geolocation," GTIG said.
At the end of 2025, the same framework was also being hosted by "a very large set of fake Chinese websites," most of which related to finance and cryptocurrency.
The websites were crafted to encourage users to visit them on their iOS devices, and in doing so, the hidden iFrame was injected and the exploit kit was installed.
English language raises questions
One of the main turning points in Coruna's discovery was when GTIG spotted that one operator of the exploit kit deployed the debug version of it, which in turn revealed all the exploits that comprised Coruna.
This discovery also led the researchers to understand that all the exploits' codenames were written in English. CVE-2024-23222 (8.8), a WebKit bug, was codenamed "cassowary," for example, and CVE-2020-27932 (7.8), a kernel type confusion flaw, was referred to as "Neutron," to name only two.
The crossover with Operation Triangulation
Of particular interest were CVE-2023-32434 (7.8) and CVE-2023-38606 (5.5), codenamed Photon and Gallium respectively, two vulnerabilities that were exploited as part of the four zero-days that underpinned Operation Triangulation.
Operation Triangulation was itself publicized by Kaspersky in 2023, which the FSB alleged at the time was a National Security Agency job.
It also remains entirely possible that Photon and Gallium were stripped from the Triangulation exploit package and added to Coruna after Kaspersky uncovered the attacks, or were unwittingly mimicked by equally talented attackers.
iVerify's Cole was among those who publicly raised the questions surrounding the US and its involvement, although Kaspersky's Larin dismissed this.
"[Photon and Gallium] are not trivial bugs – we know that firsthand," Larin said. "CVE-2023-32434 gives an attacker full control over the deepest layer of iOS – the kernel, which governs everything the phone does. CVE-2023-38606 goes a step further: it exploited a previously undocumented feature of Apple's own chips to bypass security protections that operate at the hardware level.
"But a vulnerability is not a component. Both CVEs now have publicly available implementations – any sufficiently skilled team could write their own exploits without ever seeing the Triangulation code. We see no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors."
The Register has asked the NSA for comment.
GTIG provided full technical details of how the exploit kit executes, along with indicators of compromise (IOCs), via its blog post on Coruna. ®
