Coruna iOS Exploit Kit Likely an Update to Operation Triangulation

Summary

Kaspersky discovered that the Coruna iOS exploit kit, used by Russian state-sponsored group UNC6353, contains an updated version of a kernel exploit originally deployed in Operation Triangulation three years ago. The kit targets 23 iOS vulnerabilities including CVE-2023-32434 and CVE-2023-38606, featuring improved version checking and support for newer iOS versions and Apple processors. The unified exploitation framework design suggests the same threat actor behind Operation Triangulation has evolved their capabilities and now poses risks to millions of unpatched device users.

Full text

One of the kernel exploits in the recently discovered iOS exploit kit Coruna is an updated version of an exploit used in Operation Triangulation over three years ago, Kaspersky reports. In mid-2023, Kaspersky revealed that the iOS devices of dozens of its senior employees had been compromised via zero-click iMessage attacks involving commercial spyware. Coruna, the nation-state-grade exploit kit detailed earlier this month, targets 23 vulnerabilities in iOS, including CVE-2023-32434 and CVE-2023-38606, two kernel bugs exploited in Operation Triangulation as zero-days. According to a fresh Kaspersky report, Coruna uses an updated version of the previously identified kernel exploit targeting these security defects. Additionally, the cybersecurity firm discovered that all the kernel exploits in Coruna were built using the same exploitation framework and that they also share code similarities with other components of the kit. “These findings led us to conclude that this exploit kit was not patchworked but rather designed with a unified approach. We assume that it’s an updated version of the same exploitation framework that was used — at least to some extent — in Operation Triangulation,” Kaspersky notes.Advertisement. Scroll to continue reading. The updated exploit, it says, performs more accurate version checking and contains checks for newer iOS iterations and for newer Apple processors. These checks also demonstrate that the same source code was used across multiple exploits targeting newer vulnerabilities, the security firm says. “Originally developed for cyber-espionage purposes, this framework is now being used by cybercriminals of a broader kind, placing millions of users with unpatched devices at risk. Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks,” Kaspersky notes. Coruna was used by a Russian state-sponsored espionage group tracked as UNC6353 in attacks against Ukraine alongside DarkSword, an exploit kit targeting newer iOS versions. A recent iteration of DarkSword was leaked on GitHub last week, allowing low-tier cybercriminals to use it in attacks. Millions of devices are likely at risk, as they run iOS versions containing vulnerabilities targeted by the exploit kit. Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure Related: US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites Related: M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds Related: From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Onit Security Raises $11 Million for Exposure Management PlatformiOS, macOS 26.4 Roll Out With Fresh Security PatchesFCC Bans New Routers Made Outside the US Over National Security RisksFrom Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPIExtortion Group Claims It Hacked AstraZenecaChrome 146 Update Patches High-Severity Vulnerabilities3.1 Million Impacted by QualDerm Data BreachCritical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms Warn Latest News RSAC 2026 Conference Announcements Summary (Days 3-4)CISA Flags Critical PTC Vulnerability That Had German Police MobilizedHightower Holding Data Breach Impacts 130,000BIND Updates Patch High-Severity VulnerabilitiesChinese Hackers Caught Deep Within Telecom Backbone InfrastructureCisco Patches Multiple Vulnerabilities in IOS SoftwareAlleged RedLine Malware Administrator Extradited to USDell and HP Roll Out Quantum-Resistant Device Security Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveBrian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.Hemant Baidwan has joined Knox Systems as Chief Information Security Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2023-32434
• cve — CVE-2023-38606
• malware — Coruna
• malware — DarkSword