Kaspersky's Global Research and Analysis Team (GReAT) conducted a code-level analysis of Coruna's exploits and determined that the kit is a direct, updated iteration of the framework that was at least partially used in the Operation Triangulation cyber-espionage campaign. Kaspersky is confident that the kernel exploits in both Triangulation and Coruna were created by the same author.
The analysis revealed that one of the kit's five kernel exploits is an updated version of the same exploit Kaspersky discovered in Operation Triangulation back in 2023. The remaining four — including two developed after Operation Triangulation was publicly disclosed — are built on the same exploitation framework. Code similarities extend beyond kernel exploits into other Coruna components, leading Kaspersky to conclude that the kit is not assembled from disparate parts but is a continuously maintained evolution of the original framework.
The code includes support for Apple's A17, M3, M3 Pro and M3 Max processors, as well as references to iOS versions through 17.2 — all released in 2023. It also includes a specific check for iOS 16.5 beta 4, the version Apple released to patch the vulnerabilities Kaspersky had reported.
"When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared vulnerabilities alone don't prove shared authorship. Now that we've analysed the actual binaries, the picture is different. Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase. What began as a precision espionage tool is now deployed indiscriminately," said Boris Larin, principal security researcher at Kaspersky GReAT.
Kaspersky urges all iPhone users to install the latest iOS updates immediately. The vulnerabilities exploited by Coruna have been patched by Apple, but unpatched devices remain at risk.
Operation Triangulation is an advanced persistent threat (APT) campaign targeting iOS devices, first disclosed in June 2023. Kaspersky discovered the campaign while monitoring the network traffic of its own corporate Wi-Fi network — the threat actor had been targeting iOS devices of dozens of Kaspersky employees. Kaspersky researchers identified four zero-day vulnerabilities exploited in the campaign affecting a broad spectrum of Apple products.
To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Update your operating system, applications, and security software regularly to patch any known vulnerabilities.
- Centralise event monitoring across your entire infrastructure using solutions such as Kaspersky SIEM, which provides comprehensive visibility into security events and enhances the performance of your security operations.
- Provide your cybersecurity team with in-depth visibility into cyber threats targeting your organisation. The latest Kaspersky Threat Intelligence offers rich, meaningful context throughout the entire incident management cycle, helping them identify cyber risks promptly.
- Upskill your cybersecurity team to address the latest targeted threats, for example with practically-oriented Kaspersky Cybersecurity Training.
- To establish strong endpoint protection and build incident response capabilities, use solutions from Kaspersky Next product line. With their essential EDR functionality, advanced controls, patch management, and cloud security, these solutions offer threat visibility, guided investigation, and response to help businesses quickly deflect evasive attacks with minimal resources.
The full technical analysis is available on Securelist.com.
