Coruna’s old wine in new bottles.
We’ve seen this movie before—sophisticated iPhone hacks dressed up as the latest threat. Back in 2023, Operation Triangulation hit our radars at Kaspersky, a nasty APT campaign zeroing in on iOS with spyware and a chain of zero-days. Fast-forward to 2026, Google and iVerify drop reports on this Coruna framework, an exploit kit popping up in surveillance gigs, watering holes in Ukraine, and cash-grab attacks in China. And guess what? Its kernel exploits for CVE-2023-32434 and CVE-2023-38606? Straight-up updates of Triangulation’s code.
Operation Triangulation Déjà Vu
Look, Triangulation wasn’t your garden-variety smash-and-grab. We caught it sniffing our corporate Wi-Fi—iOS phones phoning home to shady servers. Six months of digging revealed a spyware beast riding multiple zero-days, straight to root on iPhones. We spilled the beans at 37C3, and Apple patched those holes. But here’s the kicker: Coruna’s devs named their framework after some Spanish city (Coruña, get it?), and left debug strings screaming the connection.
Those distribution links Google flagged? Still live when Kaspersky grabbed ‘em. Decrypted the lot. Boom—same kernel exploit family, now with four extras, two cooked up post-Triangulation. Shared code everywhere. This ain’t a Frankenstein hack job; it’s a proper framework, unified like IKEA furniture from hell.
“The kernel exploit for CVE-2023-32434 and CVE-2023-38606 vulnerabilities used in Coruna, in fact, is an updated version of the same exploit that had been used in Operation Triangulation.”
That’s Kaspersky’s own words—pulled straight from their analysis. Chills, right?
What Makes Coruna Tick?
Starts in Safari. A stager sniffs your browser version, picks the right RCE and PAC bypass—version-specific nastiness. Grabs a URL for an encrypted manifest of exploits, plus a 256-bit key. Hands it off to the PAC payload.
Payload kicks off kernel time. Downloads the package list, ChaCha20 decrypts it to a 0xBEDF00D magic container—LZMA compressed inside. Unpacks to 0xF00DBEEF file store, IDs for components like 0x70000 for the initial manifest. Neat tables, even:
| Offset | Field |
|---|---|
| 0x00 | Magic number (0xBEDF00D) |
| 0x04 | Decompressed data size |
| 0x08 | LZMA-compressed data |
Cynical me wonders—who builds this modular? Not script kiddies. Surveillance vendors peddling to governments, that’s who. Remember FinSpy or Pegasus? Same playbook: kit-ify exploits, sell subscriptions.
And four more kernel pops? Post-Triangulation, meaning someone’s been busy patching their portfolio. All on the same framework. Code reuse screams efficiency—state actors pinching pennies, or black market flippers maximizing ROI.
Short para. Spooky.
Why Reuse Triangulation Code?
Here’s my unique take, absent from the original: this reeks of post-Stuxnet proliferation. Remember how US/Israeli worm code leaked and spawned Duqu, Flame? Triangulation—widely pegged at Russia or China—gets ripped, repackaged as Coruna for plausible deniability. Vendors tweak it, flog to mid-tier clients. Bold prediction: by 2027, we’ll see Coruna forks in Latin America elections or Middle East espionage. Who’s making bank? Not Apple. Not Google. Shady brokers in Cyprus or UAE, laundering spy-tech bucks.
Patched vulns everywhere else in the chain, sure. But chaining CVE-2023-32434 (font parsing gone wild) with CVE-2023-38606 (kernel memory corruption)? That’s Triangulation DNA. Devs didn’t rewrite; they evolved it. Smart, if you’re evil.
But. iPhone users—update religiously. Vendors? Your kits leak like sieves.
Who’s Actually Cashing In Here?
Follow the money, always. Google says a surveillance vendor’s customer kicked this off. Then it spreads—Ukraine watering holes (Russian ops?), China fraud. Debug version outs Coruna, so devs got sloppy. Or cocky.
Unified framework means scalability. Add vulns like LEGO. Sell to APT groups too lazy to code from scratch. PR spin from Google? Noble threat intel. Reality: they’re late to our party; we broke Triangulation first.
Deep dive on formats shows pro work—custom magics, LZMA for tiny payloads. But why ChaCha20 over AES? Speed on constrained iOS, maybe. Or signaling to buyers: we’re boutique.
One para sprawls. Others? Snappy.
Real Risks for iPhone Owners
Not theoretical. Active links mean live ops. If you’re high-value—activists, journos, execs—assume targeted. Triangulation hit us corporates; Coruna democratizes it.
Apple’s patched, yeah. But chains evolve. Next zero-day? Inevitable.
🧬 Related Insights
- Read more: WhatsApp’s Trust Betrayed: VBScripts and MSI Backdoors Sneak In Via Messages
- Read more: Infostealers Eclipse Banking Trojans: Financial Cyberthreats Reshape in 2025
Frequently Asked Questions
What is the Coruna framework? Coruna’s an iPhone exploit kit reusing Operation Triangulation’s kernel code, sold for surveillance and attacks.
Is Coruna related to Operation Triangulation? Yes—direct code lineage, updated exploits sharing the same framework.
How does Coruna attack iPhones? Safari stager to kernel via RCE/PAC chains, modular payloads from encrypted manifests.
