The “Coruna” Code Clash: Kaspersky Challenges Google Over the Origins of a Multi-Million Dollar iOS Arsenal

Kaspersky Lab has categorically repudiated the hypothesis that the iPhone exploit framework, recently delineated by Google, was engineered by the same architects responsible for the vulnerability chains weaponized in the “Operation Triangulation” campaign of 2023. The corporation’s paramount argument is that the promulgated materials exhibit absolutely no forensic evidence of actual code reuse; consequently, correlating the Coruna suite with those specific developers is fundamentally erroneous.

Earlier this week, the Google Threat Intelligence Group (GTIG) promulgated a comprehensive dossier detailing Coruna—an exquisitely sophisticated constellation of iOS exploits which, according to their analysts’ calculus, was likely wielded by commercial purveyors of surveillance software and state-aligned syndicates alike. According to Google’s intelligence, the contagion could be triggered merely by visiting a compromised website. The arsenal encompassed 23 distinct vulnerabilities afflicting iOS versions 13 through 17.2.1, alongside five fully realized exploitation chains. Google initiated its surveillance of Coruna in February 2025, following the interception of fragments from an exploitation chain deployed by a client of a commercial surveillance enterprise.

The GTIG’s publication precipitously ignited fervent discourse surrounding the instrument’s potential provenance. Certain experts hypothesized a nexus with American state apparatuses. Rocky Cole, the co-founder of iVerify, declared to Wired following his dissection of the source code that the framework’s development likely required a multi-million dollar investment and “bears the unmistakable hallmarks” of modules historically and publicly tethered to the United States government. Cole further posited that this might represent the inaugural, prominent instance wherein armaments ostensibly linked to the United States have “slipped the leash” and are now being weaponized by adversaries and cybercriminal syndicates.

Particular scrutiny was aroused due to the overlap of specific vulnerabilities with those weaponized in “Operation Triangulation.” This latter operation was publicly chronicled by Kaspersky Lab in 2023, at which juncture the Russian Federal Security Service (FSB) attributed the assault to the United States National Security Agency. The GTIG dossier specifically references CVE-2023-32434 and CVE-2023-38606—vulnerabilities internally designated as “Photon” and “Gallium”—both of which were integral to the exploit matrix mobilized in “Operation Triangulation.” However, Boris Larin, a prominent researcher at Kaspersky GReAT, emphatically underscored that a mere coincidence of CVEs does not denote a shared authorship. He elucidated that both vulnerabilities had already seen public proof-of-concept realizations; therefore, “any sufficiently formidable team” possesses the capability to architect proprietary exploits without requiring access to the original “Triangulation” source code. He reiterated that there exists absolutely “no evidence of actual code reuse” within the published reports.

Google, for its part, characterizes Coruna as an instrument wielded by disparate operators for vastly differing objectives. This phenomenon potentially points toward a vibrant, yet inadequately mapped, secondary market dedicated to the brokering and resale of zero-day exploits to the most affluent of patrons. The GTIG traces one specific operational trajectory to the summer of 2025, during which the malicious JavaScript framework was embedded within Ukrainian web properties and surreptitiously loaded via a concealed iframe, with payload delivery strictly geofenced to iPhone users within a specified territory. By the twilight of 2025, Google’s telemetry indicated an analogous framework was being hosted across a vast archipelago of fraudulent Chinese websites dedicated to finance and cryptocurrency, where visitors were aggressively coerced into accessing the portals specifically via iOS devices.

An ancillary detail lending credence to the theory of foreign provenance is the presence of Anglophone codenames affixed to the exploits—a revelation GTIG secured following an operational blunder by one of the assailants, wherein a debugging iteration of the software was inadvertently deployed, laying bare its internal nomenclature. Among the examples cited by Google are the WebKit vulnerability CVE-2024-23222, internally christened “cassowary,” and the kernel flaw CVE-2020-27932, designated “Neutron.” In the concluding remarks of its coverage, The Register disclosed that its editorial board had formally petitioned the NSA for comment, whilst Google has published the granular technical mechanics of Coruna alongside a comprehensive registry of indicators of compromise upon its official blog.