Kaspersky’s Global Research and Analysis Team (GReAT) has conducted a code-level analysis of Coruna’s exploits and determined that the kit is a direct, updated iteration of the framework that was at least partially used in the Operation Triangulation cyberespionage campaign.
Kaspersky says it is confident that the kernel exploits in both Triangulation and Coruna were created by the same author.
The analysis revealed that one of the kit’s five kernel exploits is an updated version of the same exploit Kaspersky discovered in Operation Triangulation back in 2023. The remaining four – including two developed after Operation Triangulation was publicly disclosed – are built on the same exploitation framework.
Code similarities extend beyond kernel exploits into other Coruna components – leading Kaspersky to conclude that the kit is not assembled from disparate parts, but is a continuously maintained evolution of the original framework.
The code includes support for Apple’s A17, M3, M3 Pro and M3 Max processors, as well as references to iOS versions through 17.2 – all released in 2023. It also includes a specific check for iOS 16.5 beta 4, the version Apple released to patch the vulnerabilities Kaspersky had reported.
“When Coruna was first reported, the public evidence wasn’t sufficient to link its code to Triangulation – shared vulnerabilities alone don’t prove shared authorship,” says Boris Larin, principal security researcher at Kaspersky GReAT. “Now that we’ve analysed the actual binaries, the picture is different. Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase.
“What began as a precision espionage tool is now deployed indiscriminately,” Larin adds.
Kaspersky urges all iPhone users to install the latest iOS updates immediately. The vulnerabilities exploited by Coruna have been patched by Apple, but unpatched devices remain at risk.
Operation Triangulation is an advanced persistent threat (APT) campaign targeting iOS devices, first disclosed in June 2023.
Kaspersky discovered the campaign while monitoring the network traffic of its own corporate Wi-Fi network – the threat actor had been targeting iOS devices of dozens of Kaspersky employees. Kaspersky researchers identified four zero-day vulnerabilities exploited in the campaign affecting a broad spectrum of Apple products.