Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A mass hacking campaign targeting iPhone users in Ukraine and China used tools likely designed by US military contractor L3Harris, TechCrunch has learned. The tools, which were intended for Western spies, ended up in the hands of various hacking groups, including Russian government spies and Chinese cybercriminals.
Google revealed last week that it has discovered this over the course of 2025 Advanced toolkit for iPhone hacking They have been used in a series of global attacks. The toolkit, dubbed “Corona” by its original developer, consists of 23 different components that were first used “in highly targeted operations” by an unnamed government client of an unspecified “surveillance vendor.” It was then used by Russian government spies against a limited number of Ukrainians, and finally by Chinese cybercriminals “in large-scale campaigns” aiming to steal money and cryptocurrencies.
Researchers at mobile cybersecurity company iVerify, which Corona analysis independentlyThey said they believe it may have originally been built by a company that sold it to the US government.
Two former employees of government contractor L3Harris told TechCrunch that the coronavirus was developed, at least in part, by the company’s hacking and surveillance technology division, Trenchant. The former employees had knowledge of the company’s iPhone hacking tools. Both spoke on condition of anonymity because they are not allowed to talk about their work at the company.
“Corona was definitely an internal name for a component,” said one former L3Harris employee, who was familiar with iPhone hacking tools as part of their work at Trenchant.
“Given the technical details, a lot of it is familiar,” this person said, referring to some evidence published by Google.
Contact us
Do you have more information about Corona or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, via Telegram, Keybase, Wire @lorenzofb, or By email.
The former employee said Trenchant’s comprehensive toolkit included several different components, including the coronavirus and related malware. Another former employee confirmed that some of the details in the published hacking kit came from Trenchant.
L3Harris sells Trenchant’s hacking and surveillance tools exclusively to the US government and its allies in the so-called Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand and the UK. Given Trenchant’s limited number of agents, it is likely that Coruna was originally acquired and used by one of these governments’ intelligence agencies before falling into unwitting hands, although it is unclear how much of the published Coruna hacking toolkit was developed by L3Harris Trenchant.
A L3Harris spokesperson did not respond to a request for comment.
It is unclear how Corona moved from the hands of a government contractor from the Five Eyes organization to a Russian government hacking group and then to a Chinese cybercrime gang.
But some circumstances seem similar to mine Peter Williamsformer General Manager at Trenchant. From 2022 until his resignation in mid-2025, Williams sold eight of the company’s hacking tools To Operation Zero, a Russian company Provides millions of dollars vs Zero day Vulnerabilities, i.e. vulnerabilities unknown to the affected vendor.
Williams, a 39-year-old Australian citizen. He was sentenced to seven years in prison Last month, he admitted to stealing and selling eight hacking tools from Trenchant to Operation Zero for $1.3 million.
The US government said Williams, who Take advantage of having “full access” According to the Trenchant networks, he “betrayed” the United States and its allies. Prosecutors He accused him of leaking the tools This would have allowed those who used them to “potentially access millions of computers and devices around the world,” suggesting that the tools relied on vulnerabilities affecting widely used software such as iOS.
Zero process which It is approved by the US government Last month, it claimed to work exclusively with the Russian government and local companies. The US Treasury Department claimed that the Russian intermediary sold “stolen Williams tools to at least one unauthorized user.”
This would explain how the Russian spy group, identified by Google only as UNC6353, acquired Corona and spread it to hacked Ukrainian websites so that it could hack some iPhone users from a specific geographical location who had unwittingly visited the malicious site.
It is possible that once Operation Zero acquires Corona and potentially sells it to the Russian government, the intermediary then resells the toolkit to someone else, perhaps another intermediary, another country, or even directly to cybercriminals. The Treasury Department alleged that a member of the Trickbot Ransomware gang worked with Operation Zero, linking the broker to financially motivated hackers.
At that point, Corona may have passed into other hands until it reached Chinese hackers. According to US prosecutors, Williams identified the code he wrote and sold for Operation Zero which was later used by a South Korean intermediary.
Triangulation process
Two specific coronavirus vulnerabilities and core vulnerabilities, called Photon and Gallium by the original developers, were used as zero-days in Operation Triangulation, a sophisticated hacking campaign allegedly used against Russian iPhone users, Google researchers wrote on Tuesday. It was a process of triangulation revealed for the first time From Kaspersky in 2023.
Rocky Cole, co-founder of iVerify, told TechCrunch that “the best explanation based on what is known now” suggests that Trenchant and the US government were the original developers and customers of Coruna. Although Cole added that he is not claiming this “definitively.”
He added that this evaluation depends on three factors. Corona usage timeline aligns with Williams leaks; The structure of the three modules – plasma, photon and gallium – found in Corona bears strong similarities to triangulation; Corona reused some of the same vulnerabilities used in that process.
According to Cole, “people close to the defense community” claim that plasma was used in the triangulation process, “although there is no public evidence of this.” (Cole previously worked for the US National Security Agency.)
According to Google and iVerify, Coruna was designed to compromise iPhone models running iOS 13 through 17.2.1, released between September 2019 and December 2023. These dates align with the timeline of some of Williams’ leaks and discovery of the triangulation process.
One former Trenchant employee told TechCrunch that when Triangulation was first revealed in 2023, other employees at the company believed that at least one of the zero days captured by Kaspersky “was from us, and was likely cut out” from the overall project that included Corona.
Another breadcrumb pointing to Trenchant – As security researcher Costain Raiu pointed out – is the use of bird names for some of the 23 instruments, such as Cassowary, Terrorbird, Bluebird, Jacurutu and Sparrow. In 2021, The Washington Post revealed That azimuth, One of the two emerging companies It was later acquired by L3Harris and Merged into Trenchantsold a hacking tool called Condor to the FBI In the infamous iPhone cracking case in San Bernardino.
After Kaspersky published its research on the triangulation, Russia’s Federal Security Service (FSB) accused the NSA of hacking “thousands” of iPhones in Russia, targeting diplomats in particular. A Kaspersky spokesperson said at the time that the company had no information about the FSB allegations. The spokesperson noted that the “compromise indicators” – that is, evidence of compromise – identified by the Russian National Coordination Center for Computer Incidents (NCCCI) are the same indicators identified by Kaspersky.
Boris Larin, a security researcher at Kaspersky, told TechCrunch in an email that “despite our extensive research, we are unable to attribute the triangulation to any known process (Advanced persistent threat) Collection or exploitation of the development company.
Larin explained that Google linked Corona to the triangulation process because they both exploit the same two weaknesses – the photon and gallium.
“Attribution cannot be based solely on the fact that these vulnerabilities were exploited. All the details of these two vulnerabilities have been publicly available for a long time,” he added, and thus anyone could have benefited from them, adding that these two shared vulnerabilities are “just the tip of the iceberg.”
Kaspersky has never publicly accused the US government of being behind the triangulation. Oddly enough, the logo that the company created for the campaign is the Apple logo It consists of several triangles – reminds us L3Harris logoand Trenchant Own logo It consists of two triangles. It may not be a coincidence. Kaspersky has previously said it would not publicly attribute a hacking campaign while quietly indicating that it already knew who was behind it, or who provided the tools for it.
In 2014, Kaspersky Announce They captured a sophisticated and elusive government hacking group known as “Careto” (Spanish for “mask”). The company said only that the hackers spoke Spanish. But the mask illustration the company used in its report included the red and yellow colors of the Spanish flag, bull horns and nose ring, and castanets.
As TechCrunch revealed last yearKaspersky researchers in particular concluded that “there is no doubt,” as one of them put it, that Careto was run by the Spanish government.
On Wednesday, cybersecurity journalist Patrick Gray “Risy Business,” he said in an episode of his podcast “Risy Business.” What he believed – based on the “bits and pieces” he was confident of – was that what Williams leaked to Operation Zero was the hacking kit used in the triangulation campaign.
Apple, Google and Operation Zero did not respond to requests for comment.
This post was originally published on March 9 at 6:56pm PT