From Targeted Espionage to Mass Exploitation. Coruna iOS Kit Reuses Triangulation Codebase
A recently identified iOS exploit kit, known as Coruna, is reusing and evolving code originally developed for the Operation Triangulation campaign, according to new research.
The findings indicate that what was once a highly targeted espionage framework is now being adapted for broader, large-scale attacks.
What Is Coruna
Coruna is an advanced iOS exploit kit targeting iPhones running versions from iOS 13 up to iOS 17.2.1.
The framework includes:
- multiple full exploit chains
- kernel-level exploitation capabilities
- device and OS-aware payload delivery
- post-exploitation tooling for persistence and cleanup
Initial reporting linked Coruna to targeted campaigns.
Recent activity shows a shift toward wider deployment.
Link to Operation Triangulation
Analysis shows that Coruna builds upon the same kernel exploitation framework used in Operation Triangulation (2023).
Key indicators:
- reuse of exploits tied to previously identified vulnerabilities
- shared architectural patterns in kernel exploitation
- consistent codebase evolution rather than isolated reuse
The framework has been actively maintained and expanded.
Support for newer Apple hardware (A17, M3 series) and recent iOS versions indicates ongoing development.
How the Attack Works
The attack typically begins when a user visits a compromised website via Safari.
The process:
- The site fingerprints the device and OS version
- A tailored exploit chain is delivered
- A payload triggers kernel-level exploitation
- A loader executes the final malware implant
- Artifacts are removed to reduce forensic visibility
This enables deep system-level control of the device.
From Precision Targeting to Scale
Coruna has been observed in multiple contexts:
- targeted activity linked to nation-state operations
- watering hole attacks in geopolitical environments
- large-scale campaigns using fake websites (e.g. gambling and crypto platforms)
- delivery of data-stealing malware such as PlasmaLoader
This reflects a shift.
Capabilities initially built for controlled intelligence operations are now being reused in broader campaigns.
Why This Matters
This development signals a change in how advanced mobile exploits are used.
Three key implications:
1. High-end exploit frameworks are no longer limited to espionage
Tools developed for targeted use are becoming reusable assets.
2. Mobile attack surface continues to expand
Web-based entry points remain a viable path to full device compromise.
3. Exploit reuse accelerates threat scaling
Maintained frameworks reduce the cost of launching new campaigns.
DIAMATIX Perspective
This case illustrates a familiar transition.
From specialized capability to operational reuse.
The risk is not only the exploit itself.
It is the lifecycle of the framework behind it.
Once developed, these capabilities evolve and spread.
From a defensive standpoint, this creates challenges:
- exploitation occurs before traditional detection layers activate
- mobile environments offer limited visibility compared to endpoints
- forensic traces are actively removed post-compromise
Organizations often underestimate mobile risk, especially in corporate identity contexts.
Effective protection requires:
- visibility across mobile access to corporate services
- monitoring of abnormal web and identity interactions
- alignment between mobile, identity, and network signals
- rapid response to suspected compromise, even without clear indicators
Mobile devices are no longer peripheral.
They are part of the primary attack surface.
Sources
Kaspersky GReAT. Research on Coruna exploit kit and Triangulation linkage
Google Threat Intelligence / iVerify. Initial Coruna reporting
Public reporting on Operation Triangulation (2023)
Threat intelligence on PlasmaLoader (PLASMAGRID) campaigns
TechCrunch. Reporting on DarkSword exploit kit leak
This article is based on publicly available threat intelligence as of March 2026.
