The **Coruna** exploit kit represents a significant evolution of the framework previously employed in the Operation Triangulation espionage campaign. This campaign, active since 2019, famously targeted iPhones through zero-click iMessage exploits. ### Expanded Target Scope The updated software now casts a wider net, specifically targeting Apple's cutting-edge **A17** and **M3** chips, as well as operating systems up to **iOS 17.2**. This expansion indicates a sustained effort to maintain relevance against the latest hardware and software defenses. ### Exploit Chains and Vulnerabilities **Coruna** incorporates five full iOS exploit chains, exploiting a total of 23 vulnerabilities. Notably, it reuses **CVE-2023-32434** and **CVE-2023-38606**, two vulnerabilities previously exploited in Operation Triangulation. Researchers at **Kaspersky** discovered that the **Coruna** kit uses an updated version of the exploit used in Operation Triangulation. > “During our analysis we’ve discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that was used in Operation Triangulation,” the researchers say in a [report](https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/) today. ### Attack Flow According to **Kaspersky's** analysis, the attack sequence begins in Safari with a stager. This initial stage fingerprints the target device, selects appropriate Remote Code Execution (RCE) and Pointer Authentication Code (PAC) exploits, and retrieves encrypted metadata necessary for subsequent stages. The payload then downloads additional encrypted components, decrypts them using ChaCha20, decompresses them with LZMA, and parses custom container formats to extract package information. Finally, based on the device’s architecture and iOS version, it selects and executes the kernel exploit, Mach-O loader, and launcher to deploy the spyware implant.  _Source: Kaspersky_ **Kaspersky’s** findings also reveal that the payloads support both ARM64 and ARM64E architectures, including explicit checks for **A17**, **M3**, **M3 Pro**, and **M3 Max** chips. The package IDs and system checks further indicate that the exploits can target: * iOS < 14.0 beta 7 * iOS < 14.7 * iOS < 16.5 beta 4 * iOS < 16.6 beta 5 * iOS < 17.2 ### Triangulation Connection **Boris Larin**, principal security researcher at **Kaspersky** Global Research and Analysis Team (GReAT), emphasized the connection to Triangulation: "Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework." The developers are actively updating the framework to include checks for newer processors (e.g., M3) and iOS builds. ### From Espionage to Cryptocurrency Theft **Coruna** has also been observed in financially-motivated campaigns targeting cryptocurrency theft through fake exchange websites. As **Larin** notes, "what began as a precision espionage tool is now deployed indiscriminately." ### Other iOS Exploit Kits This disclosure follows the recent discovery of another exploit kit, **DarkSword**, by researchers at mobile security companies **Lookout** and **iVerify**, and **Google**. **DarkSword** is also being used by multiple threat actors, primarily for espionage. The public availability of **DarkSword** increases the risk of cybercriminals leveraging it against unpatched iPhones. ### Apple's Response **Apple** has released a [security bulletin](https://support.apple.com/en-us/126776) addressing these recently uncovered exploit kits, stating that fixes for all identified flaws have been included in security updates for the latest and earlier iOS versions.