Coruna iOS exploit framework linked to Triangulation attacks

Recorded: March 26, 2026, 3:26 p.m.

Original

News

Featured
Latest

Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens

HackerOne discloses employee data breach after Navia hack

Firefox now has a free built-in VPN with 50GB monthly data limit

Infinite Campus warns of breach after ShinyHunters claims data theft

TikTok for Business accounts targeted in new phishing campaign

WhatsApp rolls out more AI features, iOS multi-account support

Inside a Modern Fraud Attack: From Bot Signups to Account Takeovers

Coruna iOS exploit framework linked to Triangulation attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCoruna iOS exploit framework linked to Triangulation attacks

Coruna iOS exploit framework linked to Triangulation attacks

By Bill Toulas

March 26, 2026
09:10 AM
0

The Coruna exploit kit is an evolution of the framework used in the Operation Triangulation espionage campaign, which in 2023 targeted iPhones via zero-click iMessage exploits.
The software has been expanded to target modern hardware, specifically including Apple's A17 and M3 chips, as well as operating systems up to iOS 17.2.
Coruna contains five full iOS exploit chains leveraging 23 vulnerabilities, among them CVE-2023-32434 and CVE-2023-38606 also used in Operation Triangulation.
After analyzing the exploit code for the two security issues, Kaspersky researchers determined that Coruna ran an updated version of the exploit used in Operation Triangulation that had started since 2019.
Additional code similarities led to the conclusion that the kit is the successor to the malicious framework leveraged in the Triangulation campaign that also targeted iPhones on Kaspersky's network.
“During our analysis we’ve discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that was used in Operation Triangulation,” the researchers say in a report today.

Source: Kaspersky
Kaspersky's analysis shows that the attack begins in Safari with a stager that fingerprints the device, selects suitable RCE and PAC exploits, and then retrieves encrypted metadata for subsequent stages.
The payload downloads additional encrypted components, decrypts them using ChaCha20, decompresses them with LZMA, and parses custom container formats to obtain package information.
Based on the device’s architecture and iOS version, it selects and executes the appropriate kernel exploit, Mach-O loader, and launcher to deploy the spyware implant.
Kaspersky’s findings indicate that the payloads support targeting ARM64 and ARM64E architectures, with explicit checks for A17, M3, M3 Pro, and M3 Max chips.
Also, the package IDs and system checks indicate that the exploits can target:
iOS < 14.0 beta 7
iOS < 14.7
iOS < 16.5 beta 4
iOS < 16.6 beta 5
iOS < 17.2
Boris Larin, principal security researcher at Kaspersky Global Research and Analysis Team (GReAT), says the connection with Triangulation became evident after analyzing Coruna's binaries.
"Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework."
Additionally, the developers continued to update the framework by including checks for newer processors (e.g., M3) and iOS builds.
Since Coruna has also been used in financially-motivated campaigns aiming to steal cryptocurrency via fake exchange websites, Larin notes that "what began as a precision espionage tool is now deployed indiscriminately."
Operation Triangulation was a highly sophisticated iOS espionage campaign that used multiple zero-day exploits to silently infect iPhones and deploy spyware implants.
It was discovered by Kaspersky during internal WiFi network monitoring in June 2023, though the campaign had started four years earlier.
In late 2023, the same researchers found that these attacks leveraged undocumented features in Apple chips to bypass hardware-based security protections.
Another exploit kit, dubbed DarkSword, was disclosed earlier this month by researchers at mobile security companies Lookout and iVerify, and Google.
Like Coruna, DarkSword is being used by multiple threat actors, but all appear to be leveraging it for espionage operations. It should be noted that DarkSword is now publicly available, which increases the risk of cybercriminals starting to leverage it against unpatched iPhones.
Apple has published a bulletin to address all these recently uncovered exploit kits, noting that fixes for all flaws have been made available via security updates for the latest, as well as earlier, iOS versions.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
Spyware-grade Coruna iOS exploit kit now used in crypto theft attacksApple patches older iPhones and iPads against Coruna exploitsCISA orders feds to patch DarkSword iOS flaws exploited attacksNew DarkSword iOS exploit used in infostealer attack on iPhonesCISA warns feds to patch iOS flaws exploited in crypto-theft attacks

Apple
Coruna
Exploit Chain
Exploit Kit
iOS
iPhone
Mobile
Triangulation

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Popular Stories

Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens

New KB5085516 emergency update fixes Microsoft account sign-in

Microsoft Exchange Online service change causes email access issues

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Synthetic Identities, Proxies & Real Identities for Sale, is yours next?

Overdue a password health-check? Audit your Active Directory for free

Are your AI accounts being sold on the dark web? Check for free.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The Coruna exploit framework represents a significant evolution of the Operation Triangulation espionage campaign, initially discovered by Kaspersky in 2023. Developed by attackers, Coruna is a sophisticated tool designed to silently infiltrate iPhones, leveraging over 23 zero-day vulnerabilities, including CVE-2023-32434 and CVE-2023-38606, to deploy spyware implants. Initial analysis by Kaspersky researchers revealed that the core kernel exploit within Coruna was a considerably updated version of the exploit initially used in Triangulation, dating back to 2019. This indicates a sustained, ongoing effort by the attackers to refine their techniques.

The framework’s architecture is highly targeted and adaptable. It begins with a stage in Safari that performs device fingerprinting, then selects appropriate exploit chains – including Remote Code Execution (RCE) and Packet Acceptance (PAC) exploits – to achieve its objectives. Following this, Coruna retrieves encrypted metadata and proceeds with further component downloads, decrypting them using ChaCha20 and compressing them with LZMA before processing custom container formats to acquire package information. Critically, the system dynamically adjusts its operations based on the device’s architecture and iOS version, utilizing ARM64 and ARM64E processors, and explicitly checking for support for newer hardware such as the A17, M3, M3 Pro, and M3 Max chips.

Boris Larin, principal security researcher at Kaspersky, highlighted the meticulous nature of Coruna’s development, stating that it is “not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework.” This sustained development is evidenced by the framework’s continued updates, incorporating checks for newer processor generations and iOS build versions. The attackers have expanded Coruna's functionality beyond simple espionage, as evidenced by its utilization in financially motivated campaigns focused on cryptocurrency theft through the deployment of fake exchange websites.

Operation Triangulation itself was revealed to utilize undocumented features within Apple’s chips – a method bypassing normal hardware-based security protections – and was initially discovered through internal WiFi network monitoring. The emergence of Coruna mirrors the techniques employed by other exploit kits, such as DarkSword, which has been leveraged by multiple threat actors, primarily for espionage activities. The availability of DarkSword publicly, however, presents a heightened risk, as cybercriminals may now employ it against unpatched iPhones.

Apple has acknowledged these threats and issued security updates to remediate the vulnerabilities exploited by Coruna and other similar exploit kits. These updates address the core flaws, representing a crucial step in safeguarding iOS devices. The evolution of Coruna and its deployment in various malicious activities underscore the importance of proactive security measures and vigilant monitoring in the face of increasingly sophisticated cyber threats.