Coruna Kit Emerges from Operation Triangulation Framework
Security researchers identified a new iOS exploit kit called Coruna that directly builds upon the sophisticated framework used in Operation Triangulation, the high-profile espionage campaign that targeted iPhones throughout 2023. The discovery, reported on March 26, 2026, reveals how threat actors continue to weaponize previously disclosed zero-click iMessage exploits for ongoing attacks against iOS devices.
Operation Triangulation originally came to light when Kaspersky researchers discovered their own corporate iPhones had been compromised through an intricate chain of zero-day exploits delivered via iMessage. The campaign exploited multiple iOS vulnerabilities, including CVE-2023-32434 in the kernel and CVE-2023-32435 in Safari's WebKit engine, to achieve full device compromise without any user interaction required.
The Coruna exploit kit represents a concerning evolution of these techniques, suggesting that the underlying exploitation framework has been adapted and potentially distributed to additional threat actors. Security analysts report that the kit maintains the same sophisticated multi-stage exploitation chain that made Operation Triangulation so effective, including the ability to bypass iOS security mechanisms and establish persistent access to compromised devices.
What makes Coruna particularly dangerous is its retention of the zero-click delivery mechanism that characterized the original campaign. Targets receive specially crafted iMessage attachments that automatically trigger the exploitation chain upon receipt, requiring no user interaction whatsoever. This approach bypasses traditional security awareness training and makes detection significantly more challenging for both individual users and enterprise security teams.
Related: FBI Probes 8 Malicious Steam Games Spreading Malware
Related: Zombie ZIP: How Malformed Archives Let Malware Slip Past
Related: Torg Grabber Malware Targets 850 Browser Extensions
Related: BeatBanker Android Banking Malware 2026: Fake Starlink App
The timing of Coruna's emergence is significant, as it comes more than two years after Apple released patches for the vulnerabilities exploited in Operation Triangulation. However, the kit's effectiveness suggests that many iOS devices remain unpatched or that the framework has been adapted to exploit additional vulnerabilities that have since been discovered.
iOS Device Users Face Renewed Triangulation Threats
The Coruna exploit kit primarily targets iOS devices, with particular focus on iPhones running older versions of the operating system that lack patches for the Operation Triangulation vulnerabilities. Devices running iOS versions prior to 16.6 remain especially vulnerable, as these versions contain the unpatched kernel and WebKit flaws that form the foundation of the exploitation chain.
Enterprise environments face elevated risk due to the prevalence of managed iOS devices that may not receive timely security updates. Organizations using Mobile Device Management (MDM) solutions should prioritize immediate inventory checks to identify devices running vulnerable iOS versions. The zero-click nature of the attacks means that even security-conscious users who avoid suspicious links or attachments remain at risk.
High-value targets including government officials, journalists, activists, and business executives represent the most likely victims, mirroring the targeting patterns observed during the original Operation Triangulation campaign. The sophisticated nature of the exploit kit suggests it's likely being used for targeted espionage rather than mass exploitation, though the potential for broader distribution remains a concern.
Geographic targeting appears to focus on regions where the original Operation Triangulation campaign was most active, including parts of Europe, Asia, and the Middle East. However, the modular nature of the Coruna framework means it could be rapidly deployed against targets in any geographic region where threat actors have operational interest.
Immediate iOS Security Measures and Detection Guidance
Organizations and individual users must immediately verify that all iOS devices are updated to the latest available versions. Devices should be running iOS 16.6 or later to ensure protection against the core vulnerabilities exploited by both Operation Triangulation and the Coruna kit. Users can check their iOS version by navigating to Settings > General > About and reviewing the software version number.
For enterprise environments, administrators should use their MDM platforms to push immediate iOS updates to all managed devices. Organizations using Microsoft Intune can deploy configuration profiles that enforce minimum iOS versions, while those using VMware Workspace ONE can leverage compliance policies to identify and remediate vulnerable devices. Jamf Pro users should implement smart groups to automatically identify devices requiring security updates.
Network-level detection focuses on identifying the command and control communications that follow successful exploitation. Security teams should monitor for unusual outbound connections from iOS devices, particularly encrypted traffic to previously unknown domains or IP addresses. The original Operation Triangulation campaign used sophisticated C2 infrastructure that frequently rotated domains and employed legitimate cloud services for command delivery.
Apple's Lockdown Mode provides additional protection for high-risk users who may be specifically targeted by advanced persistent threat groups. This feature, available in iOS 16 and later, significantly reduces the attack surface by disabling various iOS features commonly exploited in sophisticated attacks. Users can enable Lockdown Mode through Settings > Privacy & Security > Lockdown Mode, though this will impact device functionality and should be reserved for users facing genuine advanced threats.
Incident response teams should prepare for potential Coruna infections by establishing procedures for iOS device forensics and containment. Security experts recommend implementing mobile threat defense solutions that can detect anomalous iOS behavior patterns indicative of advanced exploitation. Organizations should also consider implementing zero-trust network architectures that limit the potential impact of compromised mobile devices on critical infrastructure.
