Coruna: the framework used in Operation Triangulation

Kaspersky GReAT researchers identified Coruna, a sophisticated exploit kit framework linked to Operation Triangulation, targeting Apple iOS devices. This toolkit leverages kernel exploits for CVE-2023-32434 and CVE-2023-38606, previously utilized as zero-days in the Triangulation campaign. Coruna facilitates remote code execution via Safari vulnerabilities and deploys spyware implants through encrypted payloads. The framework has been observed in watering-hole attacks across Ukraine and financially motivated incidents in China, indicating broad deployment by surveillance vendor customers. The exploit kit utilizes advanced obfuscation, including ChaCha20 encryption and custom container formats. Due to the reliance on patched vulnerabilities and sophisticated kernel exploitation, the threat severity is critical for iOS users. Mitigation requires immediate device patching to address known CVEs and vigilant monitoring for suspicious network traffic associated with exploit delivery mechanisms. Organizations should enforce strict mobile device management policies to reduce exposure to such targeted APT activities.

Kaspersky GReAT experts look into the Coruna exploit kit targeting iPhones. We discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the Operation Triangulation exploit.

Kaspersky GReAT researchers identified Coruna, a sophisticated exploit kit framework linked to Operation Triangulation, targeting Apple iOS devices. This toolkit leverages kernel exploits for CVE-2023-32434 and CVE-2023-38606, previously utilized as zero-days in the Triangulation campaign. Coruna facilitates remote code execution via Safari vulnerabilities and deploys spyware implants through encrypted payloads. The framework has been observed in watering-hole attacks across Ukraine and financially motivated incidents in China, indicating broad deployment by surveillance vendor customers. The exploit kit utilizes advanced obfuscation, including ChaCha20 encryption and custom container formats. Due to the reliance on patched vulnerabilities and sophisticated kernel exploitation, the threat severity is critical for iOS users. Mitigation requires immediate device patching to address known CVEs and vigilant monitoring for suspicious network traffic associated with exploit delivery mechanisms. Organizations should enforce strict mobile device management policies to reduce exposure to such targeted APT activities. Kaspersky GReAT experts look into the Coruna exploit kit targeting iPhones. We discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the Operation Triangulation exploit. Introduction On March 4, 2026, Google and iVerify published reports about a highly sophisticated exploit kit targeting Apple iPhone devices. According to Google, the exploit kit was first discovered in targeted attacks conducted by a customer of an unnamed surveillance vendor. It was later used by other attackers in watering-hole attacks in Ukraine and in financially motivated attacks in China. Additionally, researchers discovered an instance with the debug version of the exploit kit, which revealed the internal names of the exploits and the framework name used by its developers — Coruna. Analysis of the kit showed that it relies on the exploitation of many previously patched vulnerabilities and also includes exploits for CVE-2023-32434 and CVE-2023-38606 . These two vulnerabilities particularly caught our attention because they had been first discovered as zero-days used in Operation Triangulation . Operation Triangulation is a complex mobile APT campaign targeting iOS devices. We discovered it while monitoring the network traffic of our own corporate Wi-Fi network. We noticed suspicious activity that originated from several iOS-based phones. Following the investigation, we learned that this campaign employed a sophisticated spyware implant and multiple zero-day exploits. The investigation lasted for over six months, during which we disclosed our findings in connection to the attack. Kaspersky GReAT experts also presented these findings at the 37th Chaos Communication Congress (37C3). Although all the details of both CVE-2023-32434 and CVE-2023-38606 have long been publicly available, and other researchers have developed their own exploits without ever seeing the Triangulation code, we decided to closely investigate the exploits used in Coruna. Some of the exploit kit distribution links provided by Google remained active at the time the report was published, which allowed us to collect, decrypt, and analyze all components of Coruna. During our analysis, we discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that had been used in Operation Triangulation. The images below illustrate a high-level overview of the two attack chains. The exploit in question is highlighted with a red rectangle. Attack chain of Operation Triangulation (simplified) Attack chain of Coruna (simplified) Moreover, we discovered that Coruna includes four additional kernel exploits that we had not seen used in Operation Triangulation, two of which were developed after the discovery of Operation Triangulation. All of these exploits are built on the same kernel exploitation framework and share common code. Code similarities from kernel exploits can also be found in other components of Coruna. These findings led us to conclude that this exploit kit was not patchworked but rather designed with a unified approach. We assume that it’s an updated version of the same exploitation framework that was used — at least to some extent — in Operation Triangulation. Technical details While we continue to investigate all exploits and vulnerabilities used by Coruna, this post provides a high-level overview of the exploit kit and attack chain. Safari Exploitation begins with a stager that fingerprints the browser and selects and executes appropriate remote code execution (RCE) and pointer authentication code (PAC) exploits depending on the browser version. It also contains a URL to an encrypted file with information about all available packages containing exploits and other components. The stager also includes a 256-bit key used to...