Ethical Hacking News
Coruna iPhone Exploit Kit: A Web of Suspicions Surrounding its Origins
Kaspersky denies claims that iPhone exploit kit Coruna was developed by the same people behind Operation Triangulation, a 2023 campaign allegedly compromised thousands of Russian diplomats. Experts caution against attributing origins of an exploit kit due to complexities and nuances involved in attribution. The Coruna exploit kit uses non-public techniques bundled into novel JavaScript frameworks to pwn iPhones. R researchers suggest that there may be an active market for second-hand zero-days catering to the most well-resourced buyers. Similarities between vulnerabilities in Coruna and those targeted by Operation Triangulation raise questions about potential US government involvement.
Kaspersky, a renowned Russian cybersecurity outfit, has dismissed claims that an iPhone exploit kit recently uncovered by Google was developed by the same people who were behind a group of zero-days that allegedly compromised thousands of Russian diplomats in a 2023 campaign. The controversy surrounding Coruna began to unfold when Google's Threat Intelligence Group (GTIG) published its findings on the Coruna exploit kit this week, highlighting several vulnerabilities that bear similarities with those targeted by Operation Triangulation, which Moscow alleged was a National Security Agency (NSA) job.
At first glance, it may seem like a straightforward case of code reuse between the two campaigns. However, experts are cautioning against jumping to conclusions, citing the complexities and nuances involved in attributing the origins of an exploit kit. According to Boris Larin, principal security researcher at Kaspersky GReAT, there is "no evidence of actual code reuse" to support attributing Coruna to the same authors as Operation Triangulation. This stance is echoed by Rocky Cole, cofounder of iVerify, who expressed skepticism about the possibility of US government involvement in the development of Coruna.
The Coruna exploit kit was first discovered by GTIG last February 2025, after it captured parts of an iOS exploit chain used by a customer of a surveillance company. Since then, researchers have learned more about its makeup, with the most advanced exploits using non-public techniques bundled into novel JavaScript frameworks to pwn iPhones. Among those campaigns, researchers spotted Coruna being used by unique groups for very different means, and this has led them to suggest that there may be an active, underexplored market for second-hand zero-days catering to the most well-resourced buyers.
The crossover between some of the same vulnerabilities used in Operation Triangulation and those comprising Coruna raises questions about how involved the US was in the development and/or use of the exploit kit. The fact that one operator of Coruna deployed the debug version of it, which revealed all the exploits that comprised Coruna, further fueled speculation about potential connections to US government tools.
One of the key findings from GTIG's analysis was that several codenames used in Coruna are written in English. These include CVE-2024-23222 (8.8), a WebKit bug codenamed "cassowary," and CVE-2020-27932 (7.8), a kernel type confusion flaw referred to as "Neutron." These findings have led some experts, including Cole, to suggest that Coruna bears the hallmarks of US government tools.
While Larin dismisses these suggestions, pointing out that both vulnerabilities are publicly available and could be used by any sufficiently skilled team without ever seeing the Triangulation code, the possibility of Coruna being spun out of control and being used by both adversaries and cybercriminal groups cannot be entirely ruled out. The sheer sophistication of Coruna's design and the resources required to develop it have led some to speculate about potential US government involvement.
In conclusion, while Kaspersky has dismissed claims linking Coruna to Operation Triangulation, the controversy surrounding its origins remains ongoing. The similarities between vulnerabilities in Coruna and those targeted by Operation Triangulation raise questions about how involved the US was in the development and/or use of the exploit kit. Further research is needed to determine whether there are any concrete connections between the two campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/Coruna-iPhone-Exploit-Kit-A-Web-of-Suspicions-Surrounding-its-Origins-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/04/kaspersky_dismisses_claims_that_coruna/
https://securityshelf.com/2026/03/04/kaspersky-dismisses-claims-coruna-iphone-exploit-kit-is-connected-to-nsa-linked-operation/
https://cyberscoop.com/coruna-ios-exploit-kit-leaked-us-framework/
Published: Wed Mar 4 08:41:24 2026 by llama3.2 3B Q4_K_M
