The Zero-Day Economy: How India’s Cybersecurity Landscape Faces a Silent Revolution

New Delhi, March 2026 — When cybersecurity researchers at Bangalore’s CERT-In labs dissected a new strain of iOS malware last month, they uncovered something far more disturbing than another spyware variant. The discovery of what’s now called the Coruña framework represents a fundamental shift in how cyber threats proliferate—a shift with particularly acute implications for India’s rapidly digitizing economy.

This isn’t just about 23 zero-day vulnerabilities chained together to bypass iOS 17.2.1’s defenses. It’s about the emergence of what security analysts are calling the zero-day commodity market—where state-grade hacking tools, once the exclusive domain of intelligence agencies, now circulate in underground economies at prices accessible to organized crime syndicates. For India, where mobile devices account for 72% of all internet traffic (per TRAI’s 2025 report) and iPhone adoption among business professionals grew 43% year-over-year, this democratization of advanced cyber weapons creates a perfect storm of risk.

The Great Equalizer: When Nation-State Tools Go Retail

From Pegasus to Coruña: The Evolution of Mobile Exploit Kits

The Coruña framework didn’t emerge in a vacuum. It represents the logical endpoint of a trend that began with the 2016 discovery of Pegasus, the NSO Group’s infamous spyware. What distinguishes Coruña is its modular architecture and exploit-as-a-service distribution model—features that make it uniquely dangerous for India’s cybersecurity ecosystem.

Historically, zero-day exploits (previously unknown vulnerabilities) were rare commodities:

• 2010-2015: Exploits sold for $50,000-$250,000 in private markets to government buyers
• 2016-2020: Pegasus-era exploits reached $1-2 million per vulnerability
• 2021-2024: Supply chain attacks (like the Kaseya breach) showed how exploits could be weaponized at scale
• 2025-present: Coruña represents the first "mass-market" zero-day framework, with exploit chains available for as little as $150,000

Dr. Anand Venkatanarayanan, former deputy CISO of India’s National Payments Corporation, explains: "The Coruña framework is significant because it’s the first time we’ve seen a professional-grade exploit kit with this level of automation. Previous tools required significant operator skill—this one practically installs itself." The framework’s ability to self-modify its attack vectors based on the target device’s iOS version and security patches makes it particularly dangerous in India’s fragmented update landscape, where 38% of iPhone users still run versions older than iOS 16 (per App Annie data).

The Indian Context: Why Coruña Hits Different Here

1. The Mobile-First Economy’s Achilles Heel

India’s digital transformation has been overwhelmingly mobile-centric. With initiatives like:

• Digital India (540M+ users of government portals)
• UPI (8.7B transactions/month in 2025)
• OCEN (Open Credit Enablement Network for MSMEs)

The country has built its financial and governance infrastructure on mobile devices. Unlike Western markets where enterprise security focuses on endpoints and networks, India’s critical infrastructure literally lives in people’s pockets.

Consider the implications for:

• North East India: Where mobile banking adoption grew 212% since 2020 (NITI Aayog), and cross-border cyber threats from Myanmar-based groups have been documented
• Gujarat’s diamond trade: 89% of transactions use mobile authentication (GJEPC data), with deals often exceeding ₹10 crore
• Delhi’s policy circles: 63% of government officials use iPhones for "secure" communications (per a 2025 RTI response)

2. The Second-Hand Exploit Pipeline

India faces a unique threat from what cyber intelligence firm Recorded Future calls the "South Asian Exploit Recycling Ring." The pattern works like this:

1. Origin: Zero-days developed by Chinese (APT41), Russian (Fancy Bear), or Pakistani (SideCopy) state actors
2. First Use: Deployed in targeted espionage against Indian government or military targets
3. Leak/Resale: After 6-12 months, exploits enter underground markets via:
   • Retiring state hackers selling "old" tools
   • Compromised contractor systems (common in Bangladesh and Sri Lanka)
   • Dark web auctions on markets like Exploit.in or XSS.is
4. Commoditization: Packaged into frameworks like Coruña and sold to:
   • Indian cybercrime syndicates (Mumbai, Bengaluru, Hyderabad)
   • Fraud-as-a-service operators in West Africa targeting Indian businesses
   • Ransomware groups like BlackCat (which added iOS encryption in 2025)

3. The Regulatory Blind Spot

India’s cybersecurity regulations remain ill-equipped to handle this new threat paradigm:

• CERT-In’s 2022 directives focus on vulnerability reporting but lack mechanisms for exploit proliferation tracking
• The Digital Personal Data Protection Act (2023) addresses data breaches but not exploit trading
• No legal framework exists to regulate offensive cyber capability brokers operating from Indian soil
• Law enforcement agencies report a 400% increase in cases involving "unknown exploit" attacks since 2024, with no standardized investigation protocol

Rakesh Maurya, former head of Delhi Police’s Cyber Cell, notes: "We’re still treating these as individual cybercrime cases when we’re actually dealing with a sophisticated arms trade. The same Coruña framework used to steal from a businessman in Chennai could be repurposed to target a defense contractor in Pune the next day."

Beyond Coruña: The Larger Exploit Industrial Complex

The Economics of Cyber Arms Dealing

The Coruña discovery exposes how the exploit market has evolved into a full-fledged industrial complex:

• Development: Primarily in Russia (60%), China (25%), and North Korea (10%)
• Distribution Hubs: Bulgaria, UAE, and increasingly India (via Bengaluru and Hyderabad’s gray-market tech sectors)
• Financing: Cryptocurrency (Monero, Zcash) and hawala networks for South Asian buyers
• Support Infrastructure: 24/7 "help desks" for buyers, exploit warranties, and even "subscription models"

A 2025 Interpol report estimated this underground economy at $12.5 billion annually, with South Asia accounting for 18% of demand. For comparison, India’s entire cybersecurity market was valued at $4.7 billion in 2025 (NASSCOM).

The Regional Domino Effect

Coruña’s impact extends beyond India’s borders, creating a cyber threat contagion across South Asia:

• Bangladesh: Dhaka’s emerging fintech sector (bKash, Nagad) faces identical risks, with 22% of mobile banking users on iOS
• Sri Lanka: Post-economic crisis, cybercrime has become a "shadow export," with local groups acting as middlemen for exploit kits
• Nepal: Kathmandu’s role as a transit hub for Chinese exploit brokers targeting Indian systems
• Maldives: Geopolitical tensions make it a testing ground for new exploit chains before Indian deployment

Strategic Responses: What India Can (and Must) Do

1. The Technical Front: Beyond Patch Management

Traditional cybersecurity approaches fail against frameworks like Coruña because:

• They rely on known signatures (Coruña’s polymorphic code changes with each infection)
• They assume network-level defenses (Coruña spreads via iMessage and Bluetooth with no user interaction)
• They focus on post-breach detection (Coruña includes anti-forensic modules that erase logs)

Required shifts:

• Behavioral AI: Indian firms like Uniken and Seqrite are developing AI that monitors for "impossible behaviors" (e.g., a device suddenly accessing APIs it’s never used before)
• Hardware Anchors: Using iPhone’s Secure Enclave for cryptographic health attestation (being piloted by HDFC Bank)
• Exploit Bounties: Tata Consultancy Services proposed a ₹50 lakh bounty program for recovered zero-days (modeled after Google’s Project Zero)

2. The Policy Front: Regulating the Unregulatable

India