Kaspersky has uncovered critical new findings about the Coruna exploit kit, revealing that it is not a separate threat but rather an evolved version of the previously identified Operation Triangulation framework. This discovery highlights how advanced cyber threats continue to develop and adapt even after public disclosure.
To begin with, Kaspersky’s in-depth analysis shows that one of Coruna’s five kernel exploits directly stems from the same exploit used in Operation Triangulation back in 2023. Furthermore, the remaining four exploits—including two created after the original campaign became public—are built on the same underlying framework. As a result, researchers concluded that Coruna is not a collection of unrelated tools but a continuously maintained and upgraded cyber-espionage platform.
In addition, the investigation revealed that the codebase includes support for newer Apple hardware such as A17, M3, M3 Pro, and M3 Max processors. It also references iOS versions up to 17.2, demonstrating that attackers have actively updated the framework to target the latest devices and software releases. Notably, the code even checks for iOS 16.5 beta 4—the version Apple released to fix previously reported vulnerabilities—indicating a high level of sophistication and awareness.
Explaining the significance of these findings, Boris Larin, principal security researcher at Kaspersky GReAT, stated:
“When Coruna was first reported, the public evidence wasn’t sufficient to link its code to Triangulation — shared vulnerabilities alone don’t prove shared authorship. Now that we’ve analyzed the actual binaries, the picture is different. Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase. What began as a precision espionage tool is now deployed indiscriminately.”
Moreover, Kaspersky emphasized that while Apple has already patched the exploited vulnerabilities, devices that remain unpatched are still at significant risk. Therefore, the company strongly advises all iPhone users to install the latest iOS updates immediately to safeguard their devices.
For context, Operation Triangulation is a sophisticated advanced persistent threat (APT) campaign that initially targeted iOS devices and was disclosed in June 2023. Kaspersky first detected the campaign while monitoring its own corporate Wi-Fi network, where attackers targeted the iPhones of multiple employees. During the investigation, researchers identified four zero-day vulnerabilities affecting a wide range of Apple devices.
To further mitigate risks, Kaspersky recommends several proactive security measures. For instance, organizations should centralize event monitoring using advanced SIEM solutions to gain full visibility into security events. Additionally, keeping operating systems and applications up to date is crucial for patching vulnerabilities. Companies should also invest in threat intelligence tools and cybersecurity training to enhance their defense capabilities.
Ultimately, this discovery underscores the evolving nature of cyber threats. As attackers continue to refine their tools, organizations and individuals must adopt a proactive and layered security approach to stay protected.
Recommended Cyber Technology News:
- Honeywell, Rhombus Launch AI Cloud Security Solution
- Node.js Fixes Critical TLS Bug Enabling DoS Attacks
- IDrive Flaw Enables SYSTEM Access on Windows Systems
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
