Coruna iOS Exploit Kit Traced Back to Operation Triangulation Authors as Attacks Shift From Espionage to Mass Exploitation

Kaspersky's GReAT team has established a direct code-level link between the Coruna iOS exploit kit and Operation Triangulation, the sophisticated espionage campaign that targeted iOS devices in 2023. The connection goes beyond shared vulnerabilities — the kernel exploits in both toolchains were created by the same author using a common exploitation framework.

Coruna, first documented by Google and iVerify earlier this month, targets iPhones running iOS versions 13.0 through 17.2.1 and contains five full iOS exploit chains comprising 23 individual exploits. Among them are CVE-2023-32434 and CVE-2023-38606, both originally deployed as zero-days in Operation Triangulation. Kaspersky found that Coruna also incorporates four additional kernel exploits built on the same underlying framework, with shared code structures confirming common authorship rather than coincidental vulnerability reuse.

The codebase has been actively maintained and expanded. It now includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS 16.5 beta 4 — the latter being the version that patched the original Triangulation vulnerabilities. This indicates the developers have continuously adapted the framework to target newer hardware and work around Apple's patches.

What makes this particularly concerning is the shift in how the kit is being deployed. While it was initially used by a customer of an unnamed surveillance vendor, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a separate mass exploitation campaign using fake Chinese gambling and cryptocurrency websites to deliver PlasmaLoader (also tracked as PLASMAGRID), a data-stealing malware.

The attack chain begins when a victim visits a compromised site in Safari. A stager fingerprints the browser and OS version, serves the appropriate exploit, and triggers the kernel exploit to gain deep device access. A launcher component then orchestrates post-exploitation activity, selects the correct Mach-O loader based on firmware version and CPU, drops the final implant, and cleans up forensic artifacts to avoid detection.

Compounding the threat landscape, a new version of the DarkSword iPhone exploit kit has been leaked on GitHub, further lowering the barrier for threat actors seeking advanced iOS exploitation capabilities.

What Defenders Should Do:

Ensure all iOS devices are updated to the latest available version — the exploit chains in Coruna target versions up to iOS 17.2.1, meaning devices running iOS 17.3 and later are outside the current attack surface. Organizations managing mobile fleets should audit for devices running outdated iOS versions and enforce update compliance. Monitor network traffic for connections to suspicious gambling and cryptocurrency domains. Safari-based watering hole delivery means web filtering and DNS-level controls can provide an additional layer of defense. Given the modular and reusable nature of this framework, expect additional threat actors to adopt it.