Threat Intelligence

Coruna Framework:
From Espionage Tool to Mass Exploit Kit

    March 29, 2026  ·  5 min read  ·  Joshua Nichols
  

A sophisticated iOS exploit kit named Coruna has been publicly linked to the same developers behind Operation Triangulation — the zero-click espionage campaign that silently compromised iPhones starting as far back as 2019. What was once a precision intelligence tool is now showing up in financially motivated attacks and watering-hole campaigns around the world.

> Background: Operation Triangulation

Operation Triangulation was a highly sophisticated mobile APT campaign discovered by Kaspersky in June 2023 during internal WiFi network monitoring. The campaign had actually been running since 2019, using zero-click iMessage exploits to silently infect iPhones with spyware implants. It chained together four zero-day vulnerabilities — including undocumented features in Apple silicon — to bypass hardware-based security protections.

Among the key vulnerabilities exploited were CVE-2023-32434 and CVE-2023-38606, both kernel-level bugs. Apple patched them in iOS 16.5 beta 4 following Kaspersky's disclosure. The technical details have since been made public, and independent researchers have built their own proof-of-concept exploits. But the story didn't end there.

⚠ KEY CVEs

      CVE-2023-32434 — Integer overflow in the kernel, allowing arbitrary code execution with kernel privileges

      CVE-2023-38606 — Kernel vulnerability exploiting undocumented MMIO registers in Apple chips

> Enter Coruna

On March 4, 2026, Google's Threat Intelligence Group and mobile security firm iVerify independently published reports detailing a new, highly capable iOS exploit kit. A debug build of the kit leaked its internal project name: Coruna.

Google's analysis showed the kit was first observed in targeted attacks by a customer of an unnamed surveillance vendor. It later surfaced in watering-hole attacks targeting Ukrainian users (attributed to a Russia-aligned group tracked as UNC6353) and in financially motivated campaigns in China involving fake cryptocurrency exchange and gambling sites that distributed data-stealing malware called PlasmaLoader.

The kit is comprehensive: it contains five full iOS exploit chains and a total of 23 individual exploits, targeting iPhone models running iOS versions 13.0 through 17.2.1. It is ineffective against the latest iOS release.

> Proving the Triangulation Connection

Initially, the connection between Coruna and Operation Triangulation was circumstantial — shared vulnerabilities alone don't prove shared authorship. But Kaspersky's Global Research and Analysis Team (GReAT) took it further. Some of the original distribution URLs reported by Google were still live, which allowed Kaspersky to collect, decrypt, and perform a full code-level analysis of Coruna's components.

The results were definitive. The kernel exploit for CVE-2023-32434 and CVE-2023-38606 inside Coruna turned out to be an updated build of the exact same exploit used in Operation Triangulation. Key changes in the updated version include:

01 Improved XNU version string parsing for more precise device fingerprinting

02 Added support for iOS 17.2, suggesting active development as late as December 2023

03 Checks for Apple's A17, M3, M3 Pro, and M3 Max processors

04 A specific check for iOS 16.5 beta 4 — the exact build that patched the original vulnerabilities

Beyond that one updated exploit, four additional kernel exploits were found in Coruna that had never appeared in Operation Triangulation — two of which were developed after the Triangulation campaign was publicly exposed. All five kernel exploits share a common code base and exploitation framework. Code similarities also extend into other components like the loaders and launchers, reinforcing that this is a unified, continuously maintained toolkit — not a patchwork of borrowed code.

"What began as a precision espionage tool is now deployed indiscriminately."
— Boris Larin, Principal Security Researcher, Kaspersky GReAT

> Attack Chain Overview

Coruna's attack chain begins when a victim visits a compromised or malicious website in Safari. A stager component fingerprints the browser and device, then selects and delivers the appropriate remote code execution (RCE) and pointer authentication code (PAC) bypass exploits based on the exact browser and OS version detected.

The stager also contains a URL pointing to an encrypted configuration file that catalogs all available exploit packages and post-exploitation components. Once initial code execution is achieved, the payload downloads additional encrypted components, decrypts them using ChaCha20, decompresses them with LZMA, and parses custom container formats. Based on the device's architecture (ARM64 vs ARM64E), iOS version, and CPU, it selects and executes the appropriate kernel exploit, Mach-O loader, and launcher.

The launcher serves as the primary post-exploitation orchestrator: it leverages the kernel exploit to drop and execute the final spyware implant, then cleans up exploitation artifacts to cover the forensic trail.

  ┌─────────────┐    ┌──────────────┐    ┌──────────────┐
  │   Safari     │───▶│   Stager     │───▶│ RCE + PAC    │
  │  (victim)    │    │ fingerprint  │    │   exploits   │
  └─────────────┘    └──────────────┘    └──────┬───────┘
                                                │
                     ┌──────────────┐           │
                     │  Encrypted   │◀──────────┘
                     │  packages    │
                     │ (ChaCha20)   │
                     └──────┬───────┘
                            │
                     ┌──────▼───────┐    ┌──────────────┐
                     │   Kernel     │───▶│   Launcher   │
                     │   exploit    │    │  (implant +  │
                     │  selection   │    │   cleanup)   │
                     └──────────────┘    └──────────────┘

> Why This Matters

The evolution of this toolkit illustrates a pattern that should concern anyone in security: nation-state-grade exploit frameworks don't disappear after exposure. They get updated, expanded, and eventually redistributed to a wider set of threat actors. Coruna has already been observed in at least three distinct contexts — targeted surveillance, state-backed watering-hole campaigns, and financially motivated cybercrime — a spread that underscores the framework's modular, plug-and-play architecture.

Adding to the concern, a separate iOS exploit kit called DarkSword was also recently leaked on GitHub. DarkSword targets newer iOS versions than Coruna and had previously been limited to espionage operations. Its public availability now means lower-tier attackers can access what were once elite offensive capabilities.

Millions of devices running older iOS versions remain vulnerable. All of the vulnerabilities Coruna exploits have been patched by Apple, but patching lags are real — particularly in regions with older device populations or slower update adoption.

RECOMMENDATIONS

→ Update to the latest iOS version immediately. Coruna is ineffective against current builds.

→ Enable Lockdown Mode if you're in a higher-risk category (journalists, activists, executives, government staff).

→ Avoid browsing untrusted websites on devices running iOS versions older than 17.3.

→ Monitor Kaspersky's Securelist and Google TAG for continued analysis as the investigation is ongoing.

SOURCES

    Kaspersky Securelist — "Coruna framework: an exploit kit and ties to Operation Triangulation" (March 2026)

    Google Threat Intelligence Group — Initial Coruna disclosure (March 4, 2026)

    iVerify — Coruna technical analysis (March 2026)

    SecurityWeek, BleepingComputer, The Hacker News — supplementary reporting