Researchers warn the Coruna iOS exploit kit is reusing Operation Triangulation exploits to target iPhones and launch large-scale attacks.
Security researchers have discovered that a powerful iOS exploit kit known as “Coruna” is reusing code originally developed for the Operation Triangulation cyber-espionage campaign, expanding its use in broader cyberattack operations.
The findings suggest that tools once used in highly targeted surveillance campaigns are now being adapted for large-scale exploitation against iPhone users.
The Coruna exploit kit contains five complete iOS exploit chains and 23 individual exploits, targeting devices running iOS 13 through iOS 17.2.1.
According to researchers, several of the exploits included in the kit were originally used as zero-day vulnerabilities in Operation Triangulation, a sophisticated attack campaign that previously targeted Apple devices.
The exploit framework also includes support for newer Apple hardware such as A17 processors and M3-series chips, indicating ongoing development and adaptation.
The attack chain typically begins when a victim visits a compromised or malicious website using Safari.
Once the page loads, a staging script fingerprints the device to determine the iPhone model, iOS version, and hardware configuration. The exploit kit then selects the most suitable exploit chain to compromise the device.
After exploitation, the framework downloads additional components and executes a payload capable of launching malware, escalating privileges, and hiding traces of the intrusion.
Researchers believe Coruna may have originally been designed for targeted surveillance operations, but it has since spread across different threat groups.
Investigations indicate the exploit kit has been used by:
- A commercial surveillance vendor’s customer
- A Russia-linked espionage group conducting attacks in Ukraine
- A financially motivated cybercrime group operating from China
In some cases, attackers deployed the exploits through fake cryptocurrency and gambling websites designed to lure victims into visiting malicious pages.
Security analysts say the Coruna case highlights a growing underground market for reused or resold zero-day exploits. Tools once reserved for government-level surveillance campaigns are increasingly being repurposed by other threat actors.
Experts warn that millions of users running outdated or unpatched iOS versions could remain vulnerable if they do not update their devices.
Apple has since released security updates addressing several of the vulnerabilities used by the exploit kit, urging users to install the latest iOS versions to remain protected.
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
