The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky.
“When Coruna was first reported, the public evidence wasn’t sufficient to link its code to Triangulation — shared vulnerabilities alone don’t prove shared authorship,” Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in a statement.
“Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase. What began as a precision espionage tool is now deployed indiscriminately.”
Coruna was first documented by Google and iVerify earlier this month as targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.
Although the use of the kit was first used by a customer of an unnamed surveillance company early last year, it has since been leveraged by a suspected Russia-aligned nation-state actor in watering hole attacks in Ukraine and in a mass exploitation campaign that employed a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
The exploit kit contains five full iOS exploit chains and a total of 23 exploits, including CVE-2023-32434 and CVE-2023-38606, both of which were first used as zero-days in Operation Triangulation, a sophisticated campaign targeting iOS devices that involved the exploitation of four vulnerabilities in Apple’s mobile operating system.
The latest findings from Kaspersky indicated the kernel exploits in both Triangulation and Coruna were created by the same author, with Coruna also using four additional kernel exploits. The Russian security vendor said all these exploits are built on the same kernel exploitation framework and share common code.
Specifically, the code includes support for Apple’s A17, M3, M3 Pro, and M3 Max processors, along with checks for iOS 17.2 and iOS version 16.5 beta 4, the latter of which patched all four vulnerabilities exploited as part of Operation Triangulation. The check for iOS 17.2, on the other hand, is meant to take into account the newer exploits, Kaspersky said.
The starting point of the attack is when a user visits a compromised website on Safari, causing a stager to fingerprint the browser and serve the appropriate exploit based on the browser and operating system version. This, in turn, paves the way for the execution of a payload that triggers the kernel exploit.
“After downloading the necessary components, the payload begins executing kernel exploits, Mach-O loaders, and the malware launcher,” Kaspersky said. “The payload selects an appropriate Mach-O loader based on the firmware version, CPU, and presence of the iokit-open-service permission.”
The launcher is the primary orchestrator responsible for initiating the post-exploitation activities, leveraging the kernel exploit to drop and execute the final implant. It also cleans up exploitation artifacts to cover up the forensic trail.
“Originally developed for cyber-espionage purposes, this framework is now being used by cybercriminals of a broader kind, placing millions of users with unpatched devices at risk,” Larin said. “Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks.”
The development comes as a new version of iPhone exploit kit DarkSword has been leaked on GitHub, raising concerns that it could equip more threat actors with advanced capabilities to compromise devices, effectively turning what was once an elite hacking tool into a mass exploitation framework. The release of the new version was first reported by TechCrunch.
