Ethical Hacking News
A recent discovery by Kaspersky has revealed that the Coruna iOS kit reuses exploit code from a previously uncovered Apple iOS exploit kit known as Operation Triangulation. This finding highlights the ongoing evolution of cyber threats and underscores the continued relevance of zero-day exploits in modern cybersecurity.
The Coruna iOS kit, a malicious exploit kit, reuses exploit code from Operation Triangulation. The reuse of exploit code highlights the ongoing evolution of cyber threats. The Coruna iOS kit shares common code with Operation Triangulation and is built on top of the same kernel exploitation framework. The kits contain multiple exploits, including CVE-2023-32434 and CVE-2023-38606, both used as zero-days in Operation Triangulation.
The Coruna iOS Kit's Triangulation Roots
In a recent development that has left the cybersecurity community on high alert, researchers at Kaspersky have discovered that the Coruna iOS kit, a malicious exploit kit used in various watering hole attacks and mass exploitation campaigns, reuses exploit code from a previously uncovered Apple iOS exploit kit known as Operation Triangulation. This finding not only highlights the ongoing evolution of cyber threats but also underscores the continued relevance of zero-day exploits in modern cybersecurity.
Operation Triangulation, which was first documented by Google and iVerify earlier this month, targeted Apple iPhone models running iOS versions between 13.0 and 17.2.1. The exploit kit used a combination of four vulnerabilities in Apple's mobile operating system to compromise devices, with the primary goal of delivering a data-stealing malware known as PlasmaLoader (aka PLASMAGRID). Although the use of the Coruna iOS kit was first documented by an unnamed surveillance company last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in various attacks.
The Coruna iOS kit, on the other hand, is an updated version of the same exploit code used in Operation Triangulation. According to Kaspersky researchers, both kits share common code and are built on top of the same kernel exploitation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds demonstrates that the original developers have actively expanded this codebase.
"Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework," Boris Larin, principal security researcher at Kaspersky GReAT, stated in a statement. "The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase."
The starting point of the attack is when a user visits a compromised website on Safari, causing a stager to fingerprint the browser and serve the appropriate exploit based on the browser and operating system version. This, in turn, paves the way for the execution of a payload that triggers the kernel exploit.
"After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher," Kaspersky said. "The payload selects an appropriate Mach-O loader based on the firmware version, CPU, and presence of the iokit-open-service permission."
The Coruna iOS kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation. The latest findings from Kaspersky indicated that all these exploits are built on the same kernel exploitation framework and share common code.
The development comes as a new version of iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns that it could equip more threat actors with advanced capabilities to compromise devices, effectively turning what was once an elite hacking tool into a mass exploitation framework.
In light of this new finding, cybersecurity experts are urging users to remain vigilant and take proactive measures to protect their devices against such threats. "Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks," Larin warned.
The evolution of cyber threats highlights the need for ongoing cybersecurity awareness and education. As zero-day exploits continue to be used in various attacks, users must remain vigilant and take proactive measures to protect themselves against such threats.
A recent discovery by Kaspersky has revealed that the Coruna iOS kit reuses exploit code from a previously uncovered Apple iOS exploit kit known as Operation Triangulation. This finding highlights the ongoing evolution of cyber threats and underscores the continued relevance of zero-day exploits in modern cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-Exploitation-The-Coruna-iOS-Kits-Triangulation-Roots-ehn.shtml
https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html
https://bitnewsbot.com/coruna-ios-exploit-kit-evolved-from-triangulation/
https://nvd.nist.gov/vuln/detail/CVE-2023-32434
https://www.cvedetails.com/cve/CVE-2023-32434/
https://nvd.nist.gov/vuln/detail/CVE-2023-38606
https://www.cvedetails.com/cve/CVE-2023-38606/
https://gbhackers.com/thousands-of-iphones-compromised-in-massive-hack-via-coruna-exploit-kit/
https://www.greynoise.io/
https://www.cybersecurity-insiders.com/apt-iran-hackers-steal-over-375tb-of-data-from-lockheed-martine/
https://attack.mitre.org/groups/G0010/
https://cyble.com/threat-actor-profiles/turla/
https://en.wikipedia.org/wiki/Fancy_Bear
https://dailysecurityreview.com/resources/threat-actors-resources/apt28-fancy-bear-russian-state-sponsored-apt/
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
https://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/
Published: Thu Mar 26 08:33:54 2026 by llama3.2 3B Q4_K_M
