A new tech report shows advanced hacking tools used against iPhone users in many countries. These tools might have been made by a US military contractor. Later, hackers and intelligence groups got them.
The website "TechCrunch" reported that a hacking package called Coruna may have been partly made at L3Harris Technologies. This is a US company that works in defense and intelligence tech.
Global Hacking Campaign
Google announced last week that they found advanced hacking tools used in 2025. These tools attacked iPhone users in several countries, including Ukraine and China.
The package has 23 different tools. It uses security flaws to get access. It was first used for spying for a secret government. Then, hackers linked to the Russian government used it. Later, Chinese cybercriminals used it for big operations to steal money and crypto.
Possible Link to US Defense Contractor
Sources told TechCrunch that parts of Coruna might have been made inside L3Harris's offensive and monitoring tech division. This part is known as Trenchant.
Two former employees confirmed that Coruna was used inside the company for hacking tools. They asked to not be named.
The company usually sells these technologies only to Western governments. This includes countries in the "Five Eyes" intelligence alliance. The US, Australia, Canada, New Zealand, and the UK are part of this group.
How Tools Reached Russia?
It is not fully clear how the tools moved from a Western government group to Russian hacker groups.
But investigations suggest one event may have been key.
Last year, a former manager at Trenchant, Peter Williams, was found guilty. He admitted to stealing and selling eight company hacking tools. He sold them to a Russian company called Operation Zero for $1.3 million.
This company works with "zero-day" flaws. These are unknown weaknesses in systems. Hackers can use them to break in before they are fixed.
US authorities said Williams used his full access to steal the tools. This could let users hack millions of devices worldwide.
From Russia to Other Hackers
It is thought that Operation Zero then sold the tools or parts of them to others. This includes hacker groups linked to the Russian government.
Google says a Russian spy group called UNC6353 used these tools. They hacked Ukrainian websites. iPhone users in specific areas were infected when they visited the hacked site.
Over time, the tools may have moved to other groups. Chinese hackers used them for money theft campaigns.
Link to Complex Spy Campaign
Researchers also pointed to a possible link between Coruna tools and a known hacking campaign. This campaign is called Operation Triangulation. Kaspersky Lab revealed it in 2023. It targeted iPhone users with advanced spying.
This campaign used security flaws in iOS. Two flaws were known as Photon and Gallium.
Difficulty Identifying Who Is Responsible
Despite these clues, cybersecurity experts say it is hard to know exactly who made or used the tools.
Boris Larin, a researcher at Kaspersky, said using the same flaws is not enough to blame one group. This is especially true after the flaws' details were made public. Anyone can use them.
However, this case shows the growing risk of advanced hacking tools leaking. They move from government groups to the black market. There, they can become digital weapons for spying or cybercrime globally.