The Coruna iOS exploit kit has been identified by researchers as an evolved version of the sophisticated Operation Triangulation framework used in 2023. While originally designed for precision espionage, the toolkit has been updated to support modern M3 chips and is now being deployed in broader, more indiscriminate attacks.
New analysis from Kaspersky confirms that the kernel exploits within the Coruna kit share a common codebase and authorship with the original Operation Triangulation campaign. Although initial reports could not definitively link the two based on shared vulnerabilities alone, the latest findings show a continuous evolution of the framework rather than a simple collection of public exploits. The developers have actively maintained the code to include checks for the latest Apple processors, such as the A17 and M3 series, and newer versions of iOS up to 17.2.
The toolkit was first documented earlier this month as targeting iPhone models running versions between iOS 13.0 and 17.2.1. While it was initially used by a surveillance company client, it has recently been adopted by suspected nation-state actors for watering hole attacks in Ukraine and mass exploitation campaigns using fake gambling sites. These attacks deliver data-stealing malware by leveraging a massive library of twenty-three total exploits, including several zero-days that were central to the original Triangulation campaign.
The infection process begins when a user visits a compromised website using the Safari browser. A stager fingerprints the device to determine the specific operating system and hardware version before serving a customized exploit. Once the browser is compromised, a payload is executed to trigger the kernel exploit, which then downloads a Mach-O loader and a malware launcher. This launcher orchestrates the final stages of the attack, dropping the primary implant while simultaneously wiping forensic artifacts to hide the breach.
Security experts warn that this shift represents a dangerous trend where elite hacking tools are becoming accessible to a wider range of cybercriminals. The modular design of the Coruna framework makes it easy for various threat actors to reuse, putting millions of users with unpatched devices at risk. This concern is further amplified by the recent leak of other advanced exploit kits like DarkSword on public platforms, effectively lowering the barrier for entry for high-level mobile device compromise.
Source: https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/