Kaspersky Links Coruna Exploit Kit to Updated Operation Triangulation Framework
Kaspersky has revealed that the recently identified Coruna exploit kit is a direct and updated iteration of the framework used in the highly sophisticated Operation Triangulation cyber-espionage campaign, according to new findings from its Global Research and Analysis Team (GReAT).
Following an in-depth code-level analysis, Kaspersky researchers confirmed that the kernel exploits used in both Coruna and Operation Triangulation were developed by the same author. The study highlights that Coruna is not a collection of unrelated tools, but rather a continuously evolving framework derived from the original Triangulation codebase.
The analysis identified five kernel exploits within Coruna, one of which is an updated version of an exploit first discovered during Operation Triangulation in 2023. The remaining four exploits—including two developed after the public disclosure of the original campaign—are built on the same underlying framework. Researchers also found extensive code similarities across other components of the kit, reinforcing the conclusion of a shared origin and ongoing development.
Further evidence of active maintenance includes support for Apple’s latest hardware, such as the A17, M3, M3 Pro, and M3 Max processors, along with references to iOS versions up to 17.2. The code also contains a specific check for iOS 16.5 beta 4, a version released by Apple to address vulnerabilities previously reported by Kaspersky.
Boris Larin, Principal Security Researcher at Kaspersky GReAT, stated:
“Coruna is not a patchwork of public exploits; it represents the continued evolution of the original Operation Triangulation framework. The inclusion of checks for newer processors and operating system versions demonstrates that the developers are actively maintaining and expanding the platform. What began as a precision espionage tool is now being deployed more broadly.”
Kaspersky is urging all iPhone users to install the latest iOS updates immediately, noting that while Apple has already patched the exploited vulnerabilities, unpatched devices remain vulnerable to potential attacks.
Operation Triangulation, first disclosed in June 2023, is classified as an advanced persistent threat (APT) campaign targeting iOS devices. The campaign was initially uncovered by Kaspersky while monitoring traffic on its own corporate Wi-Fi network, where attackers were found targeting the iPhones of multiple employees. Researchers identified four zero-day vulnerabilities leveraged in the attacks, impacting a wide range of Apple devices.
To mitigate the risk of similar targeted attacks, Kaspersky recommends that organizations adopt a proactive cybersecurity posture. Key measures include regularly updating operating systems and applications, centralizing event monitoring through SIEM platforms, leveraging threat intelligence for enhanced visibility, investing in cybersecurity training, and deploying advanced endpoint detection and response (EDR) solutions.
The full technical breakdown of the Coruna exploit kit is available on Kaspersky’s Securelist platform.