Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

The Coruna iOS Kit: A Nation-State Exploit Kit with a Triangulation Twist



The Coruna iOS Kit: A Nation-State Exploit Kit with a Triangulation Twist

A new exploit kit has emerged, leveraging vulnerabilities from the infamous Operation Triangulation campaign of 2023. Kaspersky has revealed that the Coruna iOS Kit is an evolved version of those same exploits, with significant implications for the broader cybersecurity community.

  • The Coruna iOS Kit is an exploit kit that has taken a fascinating turn, linking back to the infamous Operation Triangulation campaign of 2023.
  • The Coruna iOS Kit is an evolved version of the original Operation Triangulation framework, with new features and capabilities added by its creators.
  • The kit targets Apple iPhone models running iOS versions between 13.0 and 17.2.1, as well as newer versions with specific checks for M3 and newer processors.
  • The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including zero-day vulnerabilities.
  • The Coruna iOS Kit is being used by a suspected Russia-aligned nation-state actor in watering hole attacks and mass exploitation campaigns.
  • The kit's modular design makes it easy to reuse and incorporate into other attacks, posing significant risks to millions of users with unpatched devices.



    • In the ever-evolving landscape of cybersecurity threats, it's not uncommon to come across an exploit kit that seems like a rehashing of past exploits. However, in the case of the Coruna iOS Kit, the latest findings from Kaspersky reveal that this particular kit has taken a fascinating turn, one that links it back to the infamous Operation Triangulation campaign of 2023.

    For those unfamiliar with the Operation Triangulation, it was a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple's mobile operating system. This campaign was notable for its precision and stealth, making it particularly difficult to track down. However, as Kaspersky has now revealed, the Coruna iOS Kit is not only a rehashing of past exploits but also an evolved version of those same exploits.

    According to Boris Larin, principal security researcher at Kaspersky GReAT, "Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase." This indicates that the creators of Coruna have taken the original Triangulation campaign and expanded upon it, adding new features and capabilities to create a more formidable tool.

    The Coruna iOS Kit was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. However, its use has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).

    The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation. This means that the Coruna iOS Kit is using some of the same vulnerabilities that were exploited in the original campaign, albeit with some modifications to accommodate newer versions of iOS.

    The latest findings from Kaspersky have shed light on the kernel exploits in both Triangulation and Coruna, revealing that they were created by the same author. The code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4.

    The starting point of the attack is when a user visits a compromised website on Safari, causing a stager to fingerprint the browser and serve the appropriate exploit based on the browser and operating system version. This, in turn, paves the way for the execution of a payload that triggers the kernel exploit.

    "After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher," Kaspersky said. "The payload selects an appropriate Mach-O loader based on the firmware version, CPU, and presence of the iokit-open-service permission."

    This indicates that once a user is infected with the Coruna iOS Kit, they are essentially trapped in a loop of exploitation, with each stage building upon the previous one to deliver the final implant. The launcher is the primary orchestrator responsible for initiating this post-exploitation activity.

    The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase. This has significant implications for the broader cybersecurity community, as it means that threat actors will now be able to exploit a wider range of devices using this kit.

    Originally developed for cyber-espionage purposes, this framework is now being used by cybercriminals of a broader kind, placing millions of users with unpatched devices at risk. Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks," Larin said.

    The development comes as a new version of iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns that it could equip more threat actors with advanced capabilities to compromise devices, effectively turning what was once an elite hacking tool into a mass exploitation framework. The release of the new version was first reported by TechCrunch.

    As we move forward in the fight against cyber threats, it's essential to stay vigilant and keep track of the latest developments in the world of exploit kits. With Coruna iOS Kit serving as a prime example, it's clear that nation-state actors are becoming increasingly sophisticated in their tactics, making it crucial for cybersecurity professionals to be aware of these evolving threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Coruna-iOS-Kit-A-Nation-State-Exploit-Kit-with-a-Triangulation-Twist-ehn.shtml

  • https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html

  • https://nvd.nist.gov/vuln/detail/CVE-2023-32434

  • https://www.cvedetails.com/cve/CVE-2023-32434/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-38606

  • https://www.cvedetails.com/cve/CVE-2023-38606/

  • https://en.wikipedia.org/wiki/Operation_Triangulation

  • https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/

  • https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html

  • https://www.pcmag.com/news/iphone-hack-darksword-leaks-online-github-target-millions-of-older-models


    • Published: Thu Mar 26 14:27:25 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us