INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Triangulation Exploit Framework Linked to Triangulation Attacks

| 2026-03-26 19:12 CRITICAL HIGH
JSON
Executive Summary AI-generated
The Coruna iOS exploit kit is a highly capable and advanced framework that has been used to steal sensitive data from Apple devices. Developed by cybercriminals of a broader kind, this toolkit enables full-chain attacks to target iPhones running iOS 18.4–18.7 and has been observed in campaigns targeting countries such as Saudi Arabia, Turkey, Malaysia, and Ukraine. The Coruna exploit kit uses an updated version of the same kernel exploit seen in the 2023 Operation Triangulation campaign, suggesting a possible link between the two. This suggests that Coruna is not a mix of reused parts but a more advanced evolution of the same exploitation framework behind Operation Triangulation.
Technical Mitigations AI-generated
* Implement a patching mechanism for iOS versions prior to the targeted exploit's vulnerability (CVE-2023-32434 and CVE-2023-38606) to prevent exploitation. * Regularly update software components, including Safari and other browsers used by devices running Coruna exploits, to ensure they are patched against known vulnerabilities. * Use a secure coding practice that includes checking for compatibility with newer iOS versions (up to 17.2), CPU architectures, and firmware versions to improve the exploit's effectiveness and reduce the risk of detection. * Implement a dynamic analysis mechanism to detect and adapt to changes in the target environment, such as device type, CPU, and iOS version, to maximize the payload's effectiveness. * Consider implementing a sandboxing or isolation approach for devices running Coruna exploits to prevent lateral movement and minimize the attack's impact.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation TriangulationOperation Triangulation CVE-2023-32434CVE-2023-32434 CVE-2023-38606CVE-2023-38606
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
fall 2023
Threat actors used a newly discovered exploit in iOS 16.5 beta 4 to target devices running Triangulation iOS exploitation framework, which evolved from earlier versions including A17 and M3 processors.
infrastructure Ios
Added checks for newer Apple processors: A17, M3, M3 Pro, M3 Max (released in fall 2023). Added a check for iOS version 16.5 beta 4.
general_metric 16.5 beta
Added checks for newer Apple processors: A17, M3, M3 Pro, M3 Max (released in fall 2023). Added a check for iOS version 16.5 beta 4.
general_metric 4 beta
Added checks for newer Apple processors: A17, M3, M3 Pro, M3 Max (released in fall 2023). Added a check for iOS version 16.5 beta 4.
infrastructure 16.5
Added checks for newer Apple processors: A17, M3, M3 Pro, M3 Max (released in fall 2023). Added a check for iOS version 16.5 beta 4.
late 2023
Threat actors used undocumented features in Apple chips to bypass hardware-based security protections.
June 2023
Threat actors used a previously unknown exploit in the Triangulation iOS exploitation framework to target devices.
December 2023
Threat actors used a previously unknown exploit in the Triangulation iOS exploitation framework to target devices running December 2023 versions of iOS.
infrastructure Ios
We assume that this was the latest version of iOS at the time of development (released in December 2023).
February 2025
The exploit kit used in the Coruna incident targets iPhones running iOS 17.2 or newer, and its loader is updated to support recent Apple chips like A17 and M3.
infrastructure Ios
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
Analysis shows the Coruna exploit kit uses several patched vulnerabilities, including CVE-2023-32434 and CVE-2023-38606 , two flaws first seen as zero-days in the Operation Triangulation iOS campaign.
Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group  UNC6353  against Ukrainian targets.
These define which exploits, loaders, and malware components to fetch, depending on device type, CPU, and iOS version.
The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3.
“Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
tactic T1059.007 - JavaScript
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
organisation Operation Triangulation
Analysis shows the Coruna exploit kit uses several patched vulnerabilities, including CVE-2023-32434 and CVE-2023-38606 , two flaws first seen as zero-days in the Operation Triangulation iOS campaign.
organisation CVE-2023-32434
Analysis shows the Coruna exploit kit uses several patched vulnerabilities, including CVE-2023-32434 and CVE-2023-38606 , two flaws first seen as zero-days in the Operation Triangulation iOS campaign.
organisation CVE-2023-38606
Analysis shows the Coruna exploit kit uses several patched vulnerabilities, including CVE-2023-32434 and CVE-2023-38606 , two flaws first seen as zero-days in the Operation Triangulation iOS campaign.
organisation Analysis
Analysis shows the Coruna exploit kit uses several patched vulnerabilities, including CVE-2023-32434 and CVE-2023-38606 , two flaws first seen as zero-days in the Operation Triangulation iOS campaign.
infrastructure 16.5
Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
“Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
infrastructure 17.2
Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3.
“Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
organisation CPU
These define which exploits, loaders, and malware components to fetch, depending on device type, CPU, and iOS version.
organisation Apple
The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3.
organisation XNU
The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3.
organisation A17
The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Coruna)
2025-03-26
Threat actors used a previously unknown exploit in the Triangulation iOS framework to target devices.
target_region China
Although the use of the kit was first used by a customer of an unnamed surveillance company early last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
source_region Russian Federation
Although the use of the kit was first used by a customer of an unnamed surveillance company early last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
source_region Ukraine
Although the use of the kit was first used by a customer of an unnamed surveillance company early last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
organisation PlasmaLoader
Although the use of the kit was first used by a customer of an unnamed surveillance company early last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
late 2025
Threat actors used a new iOS exploit kit called DarkSword to target devices in late 2025.
infrastructure Ios
In mid-March, Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including  surveillance vendors  and likely nation-state actors.
organisation DarkSword
In mid-March, Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including  surveillance vendors  and likely nation-state actors.
March 4, 2026
Threat actors used a previously unknown exploit in the Triangulation iOS exploitation framework to target devices.
organisation iVerify
Introduction On March 4, 2026, Google and iVerify published reports about a highly sophisticated exploit kit targeting Apple iPhone devices.
organisation Apple
Introduction On March 4, 2026, Google and iVerify published reports about a highly sophisticated exploit kit targeting Apple iPhone devices.
Mar 26, 2026
Threat actors used a previously unknown exploit in the Triangulation iOS exploitation framework to target devices.
2026-03-26
The Coruna exploit reveals evolution of Triangulation iOS exploitation framework.
campaign Operation Triangulation
“During our analysis we’ve discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that was used in Operation Triangulation,” the researchers say in a report today.
Coruna: the framework used in Operation Triangulation.
Coruna contains five full iOS exploit chains leveraging 23 vulnerabilities, among them CVE-2023-32434 and CVE-2023-38606 also used in Operation Triangulation.
 Ravie Lakshmanan  Mar 26, 2026 Malware / Mobile Security The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
vulnerability CVE-2023-32434
“During our analysis we’ve discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that was used in Operation Triangulation,” the researchers say in a report today.
Coruna contains five full iOS exploit chains leveraging 23 vulnerabilities, among them CVE-2023-32434 and CVE-2023-38606 also used in Operation Triangulation.
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation, a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple's mobile operating system.
Analysis of the kit showed that it relies on the exploitation of many previously patched vulnerabilities and also includes exploits for CVE-2023-32434 and CVE-2023-38606 .
organisation CVE-2023-38606
“During our analysis we’ve discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that was used in Operation Triangulation,” the researchers say in a report today.
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation, a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple's mobile operating system.
Analysis of the kit showed that it relies on the exploitation of many previously patched vulnerabilities and also includes exploits for CVE-2023-32434 and CVE-2023-38606 .
general_metric 38606 vulnerabilities
“During our analysis we’ve discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that was used in Operation Triangulation,” the researchers say in a report today.
organisation UNC6353
GTIG tracked the use of the exploit in highly targeted attacks by a  surveillance vendor’s customer , in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits.
organisation UNC6691
GTIG tracked the use of the exploit in highly targeted attacks by a  surveillance vendor’s customer , in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits.
organisation iPhones
The Coruna exploit kit is an evolution of the framework used in the Operation Triangulation espionage campaign, which in 2023 targeted iPhones via zero-click iMessage exploits.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
infrastructure Ios
" Operation Triangulation was a highly sophisticated iOS espionage campaign that used multiple zero-day exploits to silently infect iPhones and deploy spyware implants.
Operation Triangulation is a complex mobile APT campaign targeting iOS devices.
Coruna contains five full iOS exploit chains leveraging 23 vulnerabilities, among them CVE-2023-32434 and CVE-2023-38606 also used in Operation Triangulation.
"Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework." Additionally, the developers continued to update the framework by including checks for newer processors (e.g., M3) and iOS builds.
 Ravie Lakshmanan  Mar 26, 2026 Malware / Mobile Security The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation, a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple's mobile operating system.
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation.
Coruna exploit reveals evolution of Triangulation iOS exploitation framework Kaspersky found Coruna iOS exploits reuse updated code from the 2023 Operation Triangulation attacks, suggesting a possible link.
Kaspersky researchers discovered that the Coruna iOS exploit kit uses an updated version of the same kernel exploit seen in the 2023 Operation Triangulation campaign.
We noticed suspicious activity that originated from several iOS-based phones.
Some of the observed Package IDs (those with unique content) Package ID Description 0xF3300000 Kernel exploit (iOS < 14.0 beta 7) and other components 0xF3400000 Kernel exploit (iOS < 14.7) and other components 0xF3700000 Kernel exploit (iOS < 16.5 beta 4) and other components 0xF3800000 Kernel exploit (iOS < 16.6 beta 5) and other components 0xF3900000 Kernel exploit (iOS < 17.2) and other components 0xA3030000 Mach-O loader (iOS 16.X) (A13 – A16) 0xA3050000 Mach-O loader (iOS 16.0 – 16.4)
Added a check for iOS 17.2.
Coruna iOS exploit framework linked to Triangulation attacks.
The software has been expanded to target modern hardware, specifically including Apple's A17 and M3 chips, as well as operating systems up to iOS 17.2.
Based on the device’s architecture and iOS version, it selects and executes the appropriate kernel exploit, Mach-O loader, and launcher to deploy the spyware implant.
Also, the package IDs and system checks indicate that the exploits can target: iOS < 14.0 beta 7 iOS < 14.7 iOS < 16.5 beta 4 iOS < 16.6 beta 5 iOS < 17.2 Boris Larin, principal security researcher at Kaspersky Global Research and Analysis Team (GReAT), says the connection with Triangulation became evident after analyzing Coruna's binaries.
Apple has published a bulletin to address all these recently uncovered exploit kits, noting that fixes for all flaws have been made available via security updates for the latest, as well as earlier, iOS versions.
Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks.
The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase.
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
The check for iOS 17.2, on the other hand, is meant to take into account the newer exploits, Kaspersky said.
Coruna exploit reveals evolution of Triangulation iOS exploitation framework.
In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
organisation DarkSword
Like Coruna, DarkSword is being used by multiple threat actors, but all appear to be leveraging it for espionage operations.
organisation APT
Operation Triangulation is a complex mobile APT campaign targeting iOS devices.
organisation CVE-2023
Coruna contains five full iOS exploit chains leveraging 23 vulnerabilities, among them CVE-2023-32434 and CVE-2023-38606 also used in Operation Triangulation.
organisation Kaspersky
After analyzing the exploit code for the two security issues, Kaspersky researchers determined that Coruna ran an updated version of the exploit used in Operation Triangulation that had started since 2019.
 Ravie Lakshmanan  Mar 26, 2026 Malware / Mobile Security The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
Coruna exploit reveals evolution of Triangulation iOS exploitation framework Kaspersky found Coruna iOS exploits reuse updated code from the 2023 Operation Triangulation attacks, suggesting a possible link.
organisation Apple
 Ravie Lakshmanan  Mar 26, 2026 Malware / Mobile Security The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
The software has been expanded to target modern hardware, specifically including Apple's A17 and M3 chips, as well as operating systems up to iOS 17.2.
infrastructure 16.5
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation.
infrastructure 17.2
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation.
The software has been expanded to target modern hardware, specifically including Apple's A17 and M3 chips, as well as operating systems up to iOS 17.2.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
organisation Package
Some of the observed Package IDs (those with unique content) Package ID Description 0xF3300000 Kernel exploit (iOS < 14.0 beta 7) and other components 0xF3400000 Kernel exploit (iOS < 14.7) and other components 0xF3700000 Kernel exploit (iOS < 16.5 beta 4) and other components 0xF3800000 Kernel exploit (iOS < 16.6 beta 5) and other components 0xF3900000 Kernel exploit (iOS < 17.2) and other components 0xA3030000 Mach-O loader (iOS 16.X) (A13 – A16) 0xA3050000 Mach-O loader (iOS 16.0 – 16.4)
organisation Kernel
Some of the observed Package IDs (those with unique content) Package ID Description 0xF3300000 Kernel exploit (iOS < 14.0 beta 7) and other components 0xF3400000 Kernel exploit (iOS < 14.7) and other components 0xF3700000 Kernel exploit (iOS < 16.5 beta 4) and other components 0xF3800000 Kernel exploit (iOS < 16.6 beta 5) and other components 0xF3900000 Kernel exploit (iOS < 17.2) and other components 0xA3030000 Mach-O loader (iOS 16.X) (A13 – A16) 0xA3050000 Mach-O loader (iOS 16.0 – 16.4)
organisation A13
Some of the observed Package IDs (those with unique content) Package ID Description 0xF3300000 Kernel exploit (iOS < 14.0 beta 7) and other components 0xF3400000 Kernel exploit (iOS < 14.7) and other components 0xF3700000 Kernel exploit (iOS < 16.5 beta 4) and other components 0xF3800000 Kernel exploit (iOS < 16.6 beta 5) and other components 0xF3900000 Kernel exploit (iOS < 17.2) and other components 0xA3030000 Mach-O loader (iOS 16.X) (A13 – A16) 0xA3050000 Mach-O loader (iOS 16.0 – 16.4)
organisation Triangulation
Coruna iOS exploit framework linked to Triangulation attacks.
Coruna exploit reveals evolution of Triangulation iOS exploitation framework.
"When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared vulnerabilities alone don't prove shared authorship," Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in a statement.
organisation Kaspersky Global Research and Analysis Team
Also, the package IDs and system checks indicate that the exploits can target: iOS < 14.0 beta 7 iOS < 14.7 iOS < 16.5 beta 4 iOS < 16.6 beta 5 iOS < 17.2 Boris Larin, principal security researcher at Kaspersky Global Research and Analysis Team (GReAT), says the connection with Triangulation became evident after analyzing Coruna's binaries.
organisation Kit Reuses 2023
Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks.
organisation iVerify
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
Another exploit kit, dubbed DarkSword , was disclosed earlier this month by researchers at mobile security companies Lookout and iVerify, and Google.
organisation Google
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Another exploit kit, dubbed DarkSword , was disclosed earlier this month by researchers at mobile security companies Lookout and iVerify, and Google.
According to Google, the exploit kit was first discovered in targeted attacks conducted by a customer of an unnamed surveillance vendor.
infrastructure 13.0
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
infrastructure 17.2.1
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
infrastructure 13.0 iPhones
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
organisation PAC
Safari Exploitation begins with a stager that fingerprints the browser and selects and executes appropriate remote code execution (RCE) and pointer authentication code (PAC) exploits depending on the browser version.
Source: Kaspersky Kaspersky's analysis shows that the attack begins in Safari with a stager that fingerprints the device, selects suitable RCE and PAC exploits, and then retrieves encrypted metadata for subsequent stages.
organisation RCE
Source: Kaspersky Kaspersky's analysis shows that the attack begins in Safari with a stager that fingerprints the device, selects suitable RCE and PAC exploits, and then retrieves encrypted metadata for subsequent stages.
organisation Magic
The file format used by the exploit kit to store compressed data Offset Field 0x00 Magic number (0xBEDF00D) 0x04 Decompressed data size 0x08 LZMA-compressed data The decompressed data presents another container with the magic number 0xF00DBEEF.
organisation Entry[0].Status
The file format used by the exploit kit to store files Offset Field 0x00 Magic number (0xF00DBEEF) 0x04 Number of entries 0x08 Entry[0].File ID 0x0C Entry[0].Status 0x10 Entry[0].File offset 0x14 Entry[0].File size We provide a description of all possible File ID values below.
organisation Entry[0].File
The file format used by the exploit kit to store files Offset Field 0x00 Magic number (0xF00DBEEF) 0x04 Number of entries 0x08 Entry[0].File ID 0x0C Entry[0].Status 0x10 Entry[0].File offset 0x14 Entry[0].File size We provide a description of all possible File ID values below.
organisation File
The file format used by the exploit kit to store files Offset Field 0x00 Magic number (0xF00DBEEF) 0x04 Number of entries 0x08 Entry[0].File ID 0x0C Entry[0].Status 0x10 Entry[0].File offset 0x14 Entry[0].File size We provide a description of all possible File ID values below.
organisation File ID
At this stage, when the payload gathers information about all available file packages, this container holds only one file, and its File ID is 0x70000.
organisation CPU
Other bytes of the Package ID define the supported firmware version and CPU generation.
"The payload selects an appropriate Mach-O loader based on the firmware version, CPU, and presence of the iokit-open-service permission.
organisation Observed File
Observed File IDs File ID Description 0x10000 Implant 0x50000 Mach-O loader (default) 0x70000 List of additional components 0x70005 Launcher config 0x80000 Launcher in 0xF2/0xF3 packages, or Mach-O loader in 0xA2/0xA3 0x90000 Kernel exploit 0x90001 Kernel exploit (for Mach-O loader) 0xA0000 Logs cleaner 0xA0001 Mach-O loader component 0xA0002 Mach-O loader component 0xF0000 RPC stager After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher.
organisation Launcher
Observed File IDs File ID Description 0x10000 Implant 0x50000 Mach-O loader (default) 0x70000 List of additional components 0x70005 Launcher config 0x80000 Launcher in 0xF2/0xF3 packages, or Mach-O loader in 0xA2/0xA3 0x90000 Kernel exploit 0x90001 Kernel exploit (for Mach-O loader) 0xA0000 Logs cleaner 0xA0001 Mach-O loader component 0xA0002 Mach-O loader component 0xF0000 RPC stager After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher.
organisation The Hacker News
"When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared vulnerabilities alone don't prove shared authorship," Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in a statement.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
organisation Triangulation and Coruna
The latest findings from Kaspersky indicated the kernel exploits in both Triangulation and Coruna were created by the same author, with Coruna also using four additional kernel exploits.
organisation GitHub
" The development comes as a new version of iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns that it could equip more threat actors with advanced capabilities to compromise devices, effectively turning what was once an elite hacking tool into a mass exploitation framework.
organisation TechCrunch
The release of the new version was first reported by TechCrunch.
Tactical Metrics
Metrics
infrastructure
​Ios
Affected Product
Operation Triangulation is a complex mobile APT campaign targeting iOS devices.
We noticed suspicious activity that originated from several iOS-based phones.
Some of the observed Package IDs (those with unique content) Package ID Description 0xF3300000 Kernel exploit (iOS < 14.0 beta 7) and other components 0xF3400000 Kernel exploit (iOS < 14.7) and other components 0xF3700000 Kernel exploit (iOS < 16.5 beta 4) and other components 0xF3800000 Kernel exploit (iOS < 16.6 beta 5) and other components 0xF3900000 Kernel exploit (iOS < 17.2) and other components 0xA3030000 Mach-O loader (iOS 16.X) (A13 – A16) 0xA3050000 Mach-O loader (iOS 16.0 – 16.4)
Added a check for iOS 17.2.
We assume that this was the latest version of iOS at the time of development (released in December 2023).
Added checks for newer Apple processors: A17, M3, M3 Pro, M3 Max (released in fall 2023). Added a check for iOS version 16.5 beta 4.
Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
" Operation Triangulation was a highly sophisticated iOS espionage campaign that used multiple zero-day exploits to silently infect iPhones and deploy spyware implants.
Coruna iOS exploit framework linked to Triangulation attacks.
The software has been expanded to target modern hardware, specifically including Apple's A17 and M3 chips, as well as operating systems up to iOS 17.2.
Coruna contains five full iOS exploit chains leveraging 23 vulnerabilities, among them CVE-2023-32434 and CVE-2023-38606 also used in Operation Triangulation.
Based on the device’s architecture and iOS version, it selects and executes the appropriate kernel exploit, Mach-O loader, and launcher to deploy the spyware implant.
Also, the package IDs and system checks indicate that the exploits can target: iOS < 14.0 beta 7 iOS < 14.7 iOS < 16.5 beta 4 iOS < 16.6 beta 5 iOS < 17.2 Boris Larin, principal security researcher at Kaspersky Global Research and Analysis Team (GReAT), says the connection with Triangulation became evident after analyzing Coruna's binaries.
"Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework." Additionally, the developers continued to update the framework by including checks for newer processors (e.g., M3) and iOS builds.
Apple has published a bulletin to address all these recently uncovered exploit kits, noting that fixes for all flaws have been made available via security updates for the latest, as well as earlier, iOS versions.
Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks.
 Ravie Lakshmanan  Mar 26, 2026 Malware / Mobile Security The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase.
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation, a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple's mobile operating system.
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation.
The check for iOS 17.2, on the other hand, is meant to take into account the newer exploits, Kaspersky said.
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group  UNC6353  against Ukrainian targets.
Coruna exploit reveals evolution of Triangulation iOS exploitation framework.
Coruna exploit reveals evolution of Triangulation iOS exploitation framework Kaspersky found Coruna iOS exploits reuse updated code from the 2023 Operation Triangulation attacks, suggesting a possible link.
Kaspersky researchers discovered that the Coruna iOS exploit kit uses an updated version of the same kernel exploit seen in the 2023 Operation Triangulation campaign.
In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
Analysis shows the Coruna exploit kit uses several patched vulnerabilities, including CVE-2023-32434 and CVE-2023-38606 , two flaws first seen as zero-days in the Operation Triangulation iOS campaign.
These define which exploits, loaders, and malware components to fetch, depending on device type, CPU, and iOS version.
The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3.
“Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
In mid-March, Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including  surveillance vendors  and likely nation-state actors.
Metrics
infrastructure
​16.5
Software Version
Added checks for newer Apple processors: A17, M3, M3 Pro, M3 Max (released in fall 2023). Added a check for iOS version 16.5 beta 4.
Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation.
“Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
Metrics
infrastructure
​17.2
Software Version
Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
The software has been expanded to target modern hardware, specifically including Apple's A17 and M3 chips, as well as operating systems up to iOS 17.2.
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3.
“Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4?
Metrics
infrastructure
​13.0
Software Version
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Metrics
infrastructure
​17.2.1
Software Version
" Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
Metrics
infrastructure
13
Iphones
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Intelligence Sources
Kaspersky 2026-03-26
BleepingComputer 2026-03-26
The Hacker News 2026-03-26
Security Affairs 2026-03-26