Coruna, DarkSword & Democratizing Nation-State Exploit Kits

ENDPOINT SECURITY MOBILE SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS Coruna, DarkSword & Democratizing Nation-State Exploit Kits Nation-state malware is being sold on the Dark Web and leaked to GitHub; and ordinary organizations might not stand much of a chance of defending themselves. Nate Nelson,Contributing Writer March 26, 2026 6 Min Read SOURCE: NEDIM BAJRAMOVIC VIA ALAMY STOCK PHOTO Coruna, a high-grade mobile exploit kit armed with zero-day vulnerabilities for high-level espionage efforts, turns out to have links to 2023's Operation Triangulation spyware campaign, researchers say. And it has now, along with a similar toolkit, DarkSword, fallen into the hands of cybercriminals and a mysterious Russian state actor called UNC6353. To make matters worse, DarkSword has also been leaked to GitHub this week, which puts it within reach of even the most under-resourced, financially motivated cybercriminals out there — and organizations need to be on alert. Rocky Cole — co-founder of iVerify, which has examined both kits — tells Dark Reading that the malware that developed into Coruna was likely created by the hacking and surveillance division of a US military contractor, L3Harris (L3Harris did not immediately return a request for comment from Dark Reading). Meanwhile, DarkSword, a separate spyware tool with a remarkably similar story, was likely developed in the Gulf region, Cole says — possibly by the DarkMatter Group, or individuals who once worked there before it went belly up.  Related:Is the FCC's Router Ban the Wrong Fix? "In the case of Coruna, it was very likely a government contractor who sold it to zero-day brokers," Cole suggests. "In the case of DarkSword, I think it's possible the firm [that developed it] went defunct and offloaded it to try to salvage some investment. And so either way, it made its way onto the secondary market for resale, and then from there fell into the hands of Russian state operators." UNC6353 has been deploying both tools in watering hole attacks in Ukraine against commercial targets — like industrial and retail vendors — and targets more specifically relevant to its ongoing war, like local services, and a news agency in the contested Donbas region. DarkSword, researchers say, has been deployed by multiple surveillance companies and suspected state-sponsored threat actors, against targets in places like Saudi Arabia, Turkey, Malaysia, and Ukraine. And ever since it leaked, random Internet users are experimenting with it too. Coruna Linked to Operation Triangulation Early in 2023, Kaspersky was carrying out its daily cybersecurity business when it noticed anomalous behavior. The behavior wasn't affecting a customer, but rather its own employees' devices. The monster was inside of the house. That turned out to be the first evidence of "Operation Triangulation," a four-year spying operation that affected thousands of individuals in Russia. Targets included dozens of senior Kaspersky employees, plus diplomatic missions and embassies in the country. Russia's Federal Security Service (FSB) attributed the attack to the United States' National Security Agency (NSA) and even accused Apple of colluding on the effort.   Related:Ransomware's New Era: Moving at AI Speed Fast forward half a decade, and iVerify researchers said they found evidence that the malware used in Operation Triangulation had clear and unmistakable overlaps with the newly discovered Coruna iOS exploit kit. And after brushing off the overlaps in an interview earlier in this month, Kaspersky now reports that upon further analysis, it also believes Coruna is very much an outgrowth of Operation Triangulation. The malware has since incorporated four new iOS kernel exploits, Kaspersky researchers noted, making for a total of five exploit chains that span 23 CVEs. Different threat actors have also been customizing that chassis with different delivery mechanisms and final payloads that suit their particular goals.  "The big difference between kits like Coruna and DarkSword and other top-tier iOS spyware is that both of the former tools had additional code added to them by an unknown party to introduce financial theft and cryptocurrency capabilities," Justin Albrecht, principal researcher at Lookout, explains.  Related:Cylake Offers AI-Native Security Without Relying on Cloud Services For instance, Coruna was once used only against specific individuals, but UNC6353 planted it in invisible iframes on compromised Ukrainian websites, and Chinese threat actors — tracked as UNC6691 — stripped the geo restrictions and just spread it broadly across cryptocurrency scam sites, according to Google Threat Intelligence.  UNC6691's version also sported a final payload customized for crypto theft, far flung from the original Coruna's purpose, according to Google: "It’s not known whether the additional code was accomplished by the second-hand broker, or by the threat actors themselves, but we consider it highly likely that both Coruna and DarkSword were acquired and then modified to conduct financial theft as well as espionage." So, altogether: the malware that birthed Operation Triangulation and Coruna seems to have been developed for the US government, according to Cole and Kaspersky (Google has avoided attribution), and it was first spotted in an espionage campaign against Russia; but now it has been shared more widely. Beyond UNC6353, Coruna and DarkSword have also been deployed by multiple commercial spyware operations, other suspected state-sponsored groups, and notably, even lowly Chinese cryptocurrency stealer rings. And things are about to get messier. High-End iOS Exploit Kits Reach Cybercriminals Coruna isn't the first government cyberattack tool that ended up in Russian hands, and DarkSword is only the latest in a long line of commercial surveillance-ware deployed by non-nation-state bad actors. What's different this time is that these tools are leaking even one level further, to lower-level financially-motivated groups. Google tracked a Coruna campaign tied to scammers based in China and, more to the point, DarkSword was leaked to GitHub just a few days ago, allowing anyone off the street to compromise Apple devices just like the NSA and FSB do. Albrecht argues that it's not so surprising that malware used by the Russian government would end up in criminal possession.  "We should consider Russia’s well documented use of criminal proxy groups to target Ukraine and to conduct financial theft," he says in an interview. "The relationship between Russian Intelligence organizations and various Russian cybercriminal groups, such as a partnership between RomCom and Trickbot, essentially functions as a modern-day privateer model," so there's a lot of exchange between the two sides. The effect in the end is almost comical: middling cybercriminals with the power of government spy agencies. As Cole points out, "Coruna has 23 vulnerabilities across five [exploit] chains. It probably costs $30 million to $40 million to develop something like that," a far cry from any malware ever developed outside of government circles. Which Organizations Are at Risk From Government Spyware? If premium spyware continues to leak to financially motivated threat actors, organizations which might otherwise consider themselves outside of the purview of nation-state advanced persistent threats (APTs) might need to start preparing for a level of threat they've never faced before. Albrecht advises that executives start shopping now for more advanced mobile protections and visibility tools. "Consider that malware like this pulls entire keychains and credentials off of the device in minutes," he says. "At this point the risk isn’t only to the mobile device itself, because the attacker now has credentials and can merely log in [to the corporate network]. They have all Wi-Fi credentials, so their level of access and potential for lateral movement is elevated. Without visibility and protection on the iOS devices there’s no protection beyond what the OS provides to stop these attacks, and there’s certainly no visibility to know how and where the attack started." Cole puts the threat in even starker terms. He notes that while Apple has patched the vulnerabilities exploited by these spyware tools in its latest versions of iOS, anyone who hasn't updated is still vulnerable. "DarkSword still works in iOS 18. And 25% of iOS users still run 18, and this tool is on GitHub for anyone to access," he warns. So companies can buy all the cybersecurity programs they'd like, but if an employee walks into work with an old iPhone, it won't matter much. "DarkSword, in particular, accesses the keychain on an iPhone and steals passwords. And we have seen it being used to log into corporate systems." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like ENDPOINT SECURITY eSIM Bug in Millions of Phones Enables Spying, Takeover by Nate Nelson, Contributing Writer JUL 10, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 ENDPOINT SECURITY Qakbot Resurfaces in Fresh Wave of ClickFix Attacks by Elizabeth Montalbano, Contributing Writer MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE