From State Secrets to Street Scams: How Top-Tier Spyware Escaped Into the Wild

In a twist stranger than fiction, the same cyberweapons once wielded by intelligence agencies are now freely circulating on the internet - empowering everyone from nation-state hackers to petty cyberthieves. The recent leaks of Coruna and DarkSword, two sophisticated iOS exploit kits, have collapsed the boundaries between espionage, organized crime, and opportunistic hackers, raising the stakes for organizations worldwide.

The saga starts with Coruna, a high-grade mobile exploit kit bristling with zero-day vulnerabilities. Originally crafted, according to researchers, by the hacking arm of a US military contractor, Coruna first surfaced in the infamous Operation Triangulation campaign - an audacious espionage effort that compromised thousands of targets in Russia, including Kaspersky Lab staff and diplomatic missions. Russia’s FSB pointed fingers at the NSA, even hinting at Apple’s complicity, but attribution remains murky.

In parallel, DarkSword emerged from the Gulf region, likely the handiwork of now-defunct surveillance firm DarkMatter Group. Both tools were intended for elite intelligence operations, but things quickly spun out of control. Coruna and DarkSword made their way onto the secondary market - sold, resold, and ultimately acquired by the enigmatic Russian state actor UNC6353. The group unleashed these kits in watering hole attacks across Ukraine, targeting everything from industrial vendors to news agencies in war-torn Donbas.

The real disaster struck when DarkSword was leaked to GitHub, putting the power of nation-state hackers into the hands of anyone with an internet connection. Google’s threat analysts and researchers at iVerify tracked Coruna and DarkSword as they morphed in the wild. Chinese crime rings stripped out geo-restrictions and repurposed the exploits for broad cryptocurrency theft campaigns, while both kits were customized by various threat actors for everything from espionage to financial fraud.

The technical sophistication is staggering: Coruna alone leverages 23 vulnerabilities across five exploit chains, a toolkit that would cost tens of millions to develop from scratch. Yet now, even “lowly” cybercriminals have access to these weapons. The consequences are immediate - compromised iPhones, stolen credentials, and potential corporate breaches on a scale never seen before. Security experts warn that unless organizations update devices and adopt advanced mobile defense tools, they remain sitting ducks, regardless of how much they spend on traditional cybersecurity.

The line between government secrets and criminal tools has never been thinner. As these elite exploits spill into the public domain, every organization - no matter how small - must reckon with threats once reserved for spies and soldiers. In the new cyber arms race, complacency is not an option.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Exploit kit: An exploit kit is software that scans devices for vulnerabilities and automatically delivers malware if a weakness is found, enabling efficient cyberattacks.
• Watering hole attack: A Watering Hole Attack is when hackers infect trusted websites to target specific users, spreading malware to visitors without their knowledge.
• Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.
• Credential theft: Credential theft occurs when hackers steal usernames and passwords, often via phishing or data breaches, to illegally access online accounts.