The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
"When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared vulnerabilities alone don't prove shared authorship," Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in a statement.
"Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase. What began as a precision espionage tool is now deployed indiscriminately."
Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
Although the use of the kit was first used by a customer of an unnamed surveillance company early last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation, a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple's mobile operating system.
The latest findings from Kaspersky indicated the kernel exploits in both Triangulation and Coruna were created by the same author, with Coruna also using four additional kernel exploits. The Russian security vendor said all these exploits are built on the same kernel exploitation framework and share common code.
Specifically, the code includes support for Apple's A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation. The check for iOS 17.2, on the other hand, is meant to take into account the newer exploits, Kaspersky said.
Larin told The Hacker News that Kaspersky has detected Coruna-related artifacts in its telemetry and that analysis is ongoing to determine if threat actors beyond those documented by Google and iVerify have leveraged the hacking tool.
The starting point of the attack is when a user visits a compromised website on Safari, causing a stager to fingerprint the browser and serve the appropriate exploit based on the browser and operating system version. This, in turn, paves the way for the execution of a payload that triggers the kernel exploit.
"After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher," Kaspersky said. "The payload selects an appropriate Mach-O loader based on the firmware version, CPU, and presence of the iokit-open-service permission."
The launcher is the primary orchestrator responsible for initiating the post-exploitation activities, leveraging the kernel exploit to drop and execute the final implant. It also cleans up exploitation artifacts to cover up the forensic trail.
"Originally developed for cyber-espionage purposes, this framework is now being used by cybercriminals of a broader kind, placing millions of users with unpatched devices at risk," Larin said. "Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks."
The development comes as a new version of iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns that it could equip more threat actors with advanced capabilities to compromise devices, effectively turning what was once an elite hacking tool into a mass exploitation framework. The release of the new version was first reported by TechCrunch.
"This is a dangerous democratization of advanced exploitation tools. Historically, the massive R&D costs required to build complex iOS exploit chains restricted their use to state-sponsored, highly targeted operations," Larin said. "That economic barrier is now collapsing. While updating these frameworks with new vulnerabilities likely remains within the capability of the original authors only, the frameworks themselves are in the wild – acting as ready-made delivery mechanisms."
"Less sophisticated, financially motivated actors can leverage this top-tier exploitation capability to deploy their own payloads, transforming what was a multi-million-dollar espionage tool into an accessible instrument for mass targeting."
Larin said the shift "fundamentally" changes the threat model, as users are no longer at risk solely from highly-targeted attacks. They are exposed to indiscriminate watering-hole campaigns and employee personal devices can become potential silent backdoors into enterprise networks.
"It also highlights a structural tension in mobile security: iOS's closed ecosystem is highly effective at baseline defense, but it prevents the broader security industry from providing an independent layer of protection when Apple's own defenses are bypassed," Larin added. "Third-party security tools are locked out of these deep-level intrusions, making timely iOS updates the only reliable mitigation. We strongly recommend updating to the latest iOS immediately and enabling Lockdown Mode."
(The story was updated after publication to include additional insights from Kaspersky.)
