Ethical Hacking News
Coruna, an iOS exploit kit linked to the Operation Triangulation espionage campaign, has been expanded to target modern hardware and operating systems. Kaspersky researchers have found that the attack begins in Safari and uses multiple zero-day exploits to silently infect iPhones and deploy spyware implants.
Coruna is a sophisticated iOS exploit kit linked to the Operation Triangulation espionage campaign, targeting modern hardware and operating systems. The attack uses multiple zero-day exploits to silently infect iPhones and deploy spyware implants, beginning in Safari. Coruna has been expanded to target A17, M3, M3 Pro, and M3 Max chips, as well as iOS versions up to 17.2. The exploit kit leverages 23 vulnerabilities, including CVE-2023-32434 and CVE-2023-38606, and supports targeting ARM64 and ARM64E architectures. Coruna has been used in financially-motivated campaigns to steal cryptocurrency via fake exchange websites. Apple has published a bulletin to address the recently uncovered exploit kits, with fixes available via security updates for iOS versions.
The world of cyber security is constantly evolving, with new threats and exploits emerging every day. In recent months, a new player has entered the scene, one that is making headlines for its sophistication and malicious intent. Coruna, an iOS exploit kit, has been linked to Triangulation attacks, a campaign that targeted iPhones via zero-click iMessage exploits in 2023.
The Coruna exploit kit is an evolution of the framework used in Operation Triangulation, which was first discovered by Kaspersky researchers in June 2023. The original campaign used multiple zero-day exploits to silently infect iPhones and deploy spyware implants. However, since then, the exploit kit has been expanded to target modern hardware, specifically including Apple's A17 and M3 chips, as well as operating systems up to iOS 17.2.
According to Kaspersky researchers, Coruna contains five full iOS exploit chains leveraging 23 vulnerabilities, among them CVE-2023-32434 and CVE-2023-38606. These exploits are not only limited to the original Operation Triangulation framework but have been updated to include checks for newer processors and iOS builds.
The attack begins in Safari with a stager that fingerprints the device, selects suitable RCE and PAC exploits, and then retrieves encrypted metadata for subsequent stages. The payload downloads additional encrypted components, decrypts them using ChaCha20, decompresses them with LZMA, and parses custom container formats to obtain package information. Based on the device's architecture and iOS version, it selects and executes the appropriate kernel exploit, Mach-O loader, and launcher to deploy the spyware implant.
Kaspersky's analysis shows that the payloads support targeting ARM64 and ARM64E architectures, with explicit checks for A17, M3, M3 Pro, and M3 Max chips. The package IDs and system checks indicate that the exploits can target iOS < 14.0 beta 7, iOS < 14.7, iOS < 16.5 beta 4, iOS < 16.6 beta 5, and iOS < 17.2.
The connection between Coruna and Operation Triangulation became evident after analyzing Coruna's binaries. Boris Larin, principal security researcher at Kaspersky Global Research and Analysis Team (GReAT), notes that "Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework."
Since its emergence, Coruna has been used in financially-motivated campaigns aiming to steal cryptocurrency via fake exchange websites. Larin notes that "what began as a precision espionage tool is now deployed indiscriminately."
Operation Triangulation was a highly sophisticated iOS espionage campaign that used multiple zero-day exploits to silently infect iPhones and deploy spyware implants. It was discovered by Kaspersky researchers during internal WiFi network monitoring in June 2023, though the campaign had started four years earlier.
In late 2023, the same researchers found that these attacks leveraged undocumented features in Apple chips to bypass hardware-based security protections. Another exploit kit, dubbed DarkSword, was disclosed earlier this month by researchers at mobile security companies Lookout and iVerify, and Google. Like Coruna, DarkSword is being used by multiple threat actors, but all appear to be leveraging it for espionage operations.
Apple has published a bulletin to address all these recently uncovered exploit kits, noting that fixes for all flaws have been made available via security updates for the latest, as well as earlier, iOS versions.
In conclusion, Coruna is a sophisticated iOS exploit kit that has evolved from the original Operation Triangulation framework. Its ability to target modern hardware and operating systems makes it a significant threat to mobile device security. As new threats emerge, it is essential to stay vigilant and keep our devices up-to-date with the latest security patches.
Coruna, an iOS exploit kit linked to the Operation Triangulation espionage campaign, has been expanded to target modern hardware and operating systems. Kaspersky researchers have found that the attack begins in Safari and uses multiple zero-day exploits to silently infect iPhones and deploy spyware implants.
Related Information:
https://www.ethicalhackingnews.com/articles/Coruna-iOS-Exploit-Kit-A-Sophisticated-Espionage-Tool-Evolved-ehn.shtml
https://www.bleepingcomputer.com/news/security/coruna-ios-exploit-framework-linked-to-triangulation-attacks/
https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html
https://en.cryptonomist.ch/2026/03/26/coruna-exploit-kit-analysis/
https://nvd.nist.gov/vuln/detail/CVE-2023-32434
https://www.cvedetails.com/cve/CVE-2023-32434/
https://nvd.nist.gov/vuln/detail/CVE-2023-38606
https://www.cvedetails.com/cve/CVE-2023-38606/
Published: Thu Mar 26 10:03:37 2026 by llama3.2 3B Q4_K_M
