Key Findings

• Coruna iOS exploit kit uses an updated version of the kernel exploit from Operation Triangulation, a sophisticated 2023 iOS APT campaign

• The exploit kit includes five full exploit chains and 23 total exploits, targeting iOS 13.0 through 17.2.1

• Coruna contains four additional kernel exploits not seen in Triangulation, two developed after the original campaign's discovery

• Code analysis reveals Coruna was designed with unified architecture rather than patchworked components, suggesting evolution of the same exploitation framework

• The kit has been used by multiple threat actors including surveillance vendors, Ukrainian-based attackers, and Chinese financially motivated groups

• Kaspersky obtained and analyzed active Coruna distribution links, enabling detailed technical reverse engineering

Background

Google and iVerify first disclosed Coruna in early March 2026 after discovering it in targeted attacks by a surveillance vendor's customer. The exploit kit subsequently appeared in watering-hole attacks in Ukraine and financially motivated campaigns in China. While analyzing the kit, researchers uncovered debug versions that revealed internal exploit names and the framework identifier "Coruna." The presence of CVE-2023-32434 and CVE-2023-38606 in the kit was significant because these vulnerabilities had previously been discovered as zero-days in Operation Triangulation, a complex mobile APT campaign that Kaspersky researchers had been monitoring since discovering suspicious activity on their corporate Wi-Fi network in 2023.

Code Connection Between Triangulation and Coruna

Initial public evidence appeared insufficient to definitively link Coruna to Operation Triangulation, as shared vulnerabilities alone don't prove shared authorship. However, Kaspersky's detailed analysis changed this assessment. Researchers discovered that the kernel exploits for CVE-2023-32434 and CVE-2023-38606 in Coruna are demonstrably updated versions of the same exploits used in Triangulation. The newer versions include improved compatibility checks for XNU versions, support for iOS versions up to 17.2, and recognition of recent Apple chips like A17 and M3.

The presence of these version checks in older exploit code that targets vulnerabilities patched in iOS 16.5 beta 4 proved particularly revealing. Why would developers add checks for iOS 17.2 and newer processors if the targeted vulnerabilities were already fixed? The answer emerged upon examining Coruna's other kernel exploits—all four additional exploits are built on the same source code framework, with differences only in which vulnerabilities they exploit. This meant the version checks were added when older exploits were recompiled to support the newer exploits sharing the same underlying framework.

Unified Framework Architecture

Rather than assembling patchworked components from various sources, Coruna demonstrates a cohesive design philosophy. All kernel exploits within the kit share common code and are built on the same exploitation framework. This architectural consistency extends beyond kernel exploits to other components throughout the kit, indicating careful engineering rather than opportunistic code reuse.

Two of Coruna's four additional kernel exploits were developed after Operation Triangulation's discovery, yet they maintain the same structural approach. This suggests developers actively maintained and evolved the framework rather than abandoning it after initial exposure. The modular design allows for targeted customization—different exploits can be selected and deployed based on device characteristics, iOS version, and architecture without requiring fundamental rewrites.

Attack Chain and Technical Implementation

Coruna's attack begins with a Safari-based stager that fingerprints the target browser and selects appropriate remote code execution and pointer authentication code exploits based on browser version. The stager contains encrypted file information about available packages and includes a 256-bit decryption key.

Once the payload initializes kernel exploitation, it downloads component information and processes multiple nested file formats. Data is first decrypted using ChaCha20 stream cipher, yielding a container marked with magic number 0xBEDF00D containing LZMA-compressed data. Decompression reveals another container with magic number 0xF00DBEEF that stores indexed files accessible by ID. This multi-layered approach allows operators to deliver different exploit combinations and malware packages depending on target device type, CPU architecture, and iOS version.

The launcher handles post-exploitation activities by reusing kernel access established during initial exploitation rather than re-running exploits. It removes attack traces, selects target processes, injects stagers, and deploys final malware payloads in a streamlined and stealthy manner.

Threat Actor Distribution and Evolution

Coruna has proliferated across multiple threat actor groups with varying motivations. A surveillance vendor initially deployed the kit in targeted operations. Ukrainian-based group UNC6353 subsequently employed it in watering-hole attacks. Chinese financially motivated actors in group UNC6691 later adopted it for broader-scale attacks, demonstrating an active market for second-hand zero-day exploits.

This distribution pattern reflects a concerning trend where advanced exploitation frameworks originally developed for cyber-espionage gradually spread to wider criminal ecosystems. While details of CVE-2023-32434 and CVE-2023-38606 are now public and other researchers have independently developed exploits without accessing Triangulation code, the Coruna kit's adoption by multiple unconnected actors suggests the framework's sophistication makes it attractive despite public vulnerability disclosures.

The kit remains ineffective against the latest iOS release, though it poses active risk to millions of users running unpatched devices on iOS 13.0 through 17.2.1. Given Coruna's modular design and apparent ease of reuse, security researchers expect continued evolution and adaptation as the framework persists within threat actor communities.

Sources

• https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/

• https://securityaffairs.com/190010/security/coruna-exploit-reveals-evolution-of-triangulation-ios-exploitation-framework.html

• https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html