Coruna iOS Exploit Kit Likely an Update to Operation Triangulation
Coruna contains the updated version of a kernel exploit used in Operation Triangulation three years ago.
AI-Generated Summary
The iOS exploit kit Coruna, used by Russian state-sponsored group UNC6353 against Ukraine, has been identified as an updated version of the Operation Triangulation exploitation framework, targeting 23 iOS vulnerabilities including CVE-2023-32434 and CVE-2023-38606. The framework has evolved beyond espionage use and is now accessible to broader cybercriminal actors, with a related kit DarkSword recently leaked on GitHub. Millions of users with unpatched iOS devices are at risk as low-tier threat actors can now leverage these sophisticated exploit capabilities.
Threat Actor
UNC6353
Affected Sectors
Frameworks
Aggregated from SecurityWeek
This article was automatically aggregated from an external source. Content may be summarized.
Full Analysis
One of the kernel exploits in the recently discovered iOS exploit kit Coruna is an updated version of an exploit used in Operation Triangulation over three years ago, Kaspersky reports.
In mid-2023, Kaspersky revealed that the iOS devices of dozens of its senior employees had been compromised via zero-click iMessage attacks involving commercial spyware.
Coruna, the nation-state-grade exploit kit detailed earlier this month, targets 23 vulnerabilities in iOS, including CVE-2023-32434 and CVE-2023-38606, two kernel bugs exploited in Operation Triangulation as zero-days.
According to a fresh Kaspersky report, Coruna uses an updated version of the previously identified kernel exploit targeting these security defects.
Additionally, the cybersecurity firm discovered that all the kernel exploits in Coruna were built using the same exploitation framework and that they also share code similarities with other components of the kit.
“These findings led us to conclude that this exploit kit was not patchworked but rather designed with a unified approach. We assume that it’s an updated version of the same exploitation framework that was used — at least to some extent — in Operation Triangulation,” Kaspersky notes.
Advertisement. Scroll to continue reading.
The updated exploit, it says, performs more accurate version checking and contains checks for newer iOS iterations and for newer Apple processors. These checks also demonstrate that the same source code was used across multiple exploits targeting newer vulnerabilities, the security firm says.
“Originally developed for cyber-espionage purposes, this framework is now being used by cybercriminals of a broader kind, placing millions of users with unpatched devices at risk. Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks,” Kaspersky notes.
Coruna was used by a Russian state-sponsored espionage group tracked as UNC6353 in attacks against Ukraine alongside DarkSword, an exploit kit targeting newer iOS versions.
A recent iteration of DarkSword was leaked on GitHub last week, allowing low-tier cybercriminals to use it in attacks. Millions of devices are likely at risk, as they run iOS versions containing vulnerabilities targeted by the exploit kit.
Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure
Related: US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites
Related: M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds
Related: From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI
Originally published by SecurityWeek
Original Source
SecurityWeek