Introduction
In March 2026, security researchers from Google and iVerify disclosed a sophisticated exploit kit targeting Apple iPhones. This kit, internally named Coruna, was first deployed by a surveillance vendor’s client, then adapted for watering-hole attacks in Ukraine and financially motivated campaigns in China. A debug version leaked internal names, including “Coruna.” The kit leveraged multiple patched vulnerabilities and two zero-days—CVE-2023-32434 and CVE-2023-38606—that originally surfaced in Operation Triangulation, a complex mobile APT campaign uncovered by Kaspersky during internal network monitoring. Analysis revealed that Coruna’s kernel exploit for these CVEs is an updated version of the same exploit used in Operation Triangulation, and the framework includes four additional kernel exploits with shared code. This guide walks you through the process of analyzing Coruna and connecting it to Operation Triangulation.
What You Need
- Access to threat intelligence reports: Google’s and iVerify’s publications (March 2026), Kaspersky’s Operation Triangulation disclosures (2023–2024).
- Malware analysis tools: Disassembler (e.g., IDA Pro, Ghidra), debugger, hex editor, sandbox environment.
- Sample collection: Archived distribution links for Coruna (if still active), or pre-collected samples from repositories.
- Knowledge of iOS kernel exploitation: Understanding of Mach-O format, kernel patches, and common exploit techniques.
- Version control comparison tools: For diffing exploit code between Coruna and Operation Triangulation.
Step-by-Step Analysis Guide
Step 1: Collect and Review Initial Reports
Begin by gathering the foundational reports from Google and iVerify published on March 4, 2026. Note that Coruna was first used by a surveillance vendor’s customer, then repurposed by other attackers. Pay attention to the list of vulnerabilities: the kit exploits several already-patched CVEs plus CVE-2023-32434 and CVE-2023-38606. Cross-reference these with Kaspersky’s earlier reports on Operation Triangulation to identify overlapping zero-days.
Step 2: Understand the Operation Triangulation Campaign
Operation Triangulation was discovered by Kaspersky in 2023 when suspicious network traffic originated from iOS devices on their corporate Wi-Fi. The campaign used a spyware implant and multiple zero-days, including CVE-2023-32434 and CVE-2023-38606. Read Kaspersky’s detailed analysis and the presentation at the 37th Chaos Communication Congress (37C3). Familiarize yourself with the attack chain and the original exploit code to establish a baseline for comparison.
Step 3: Identify Active Distribution Links for Coruna
According to Google’s report, some distribution links for the Coruna kit remained active at the time of publication. Try to access these links (if still live) to download the sample. Use caution: handle malware in an isolated sandbox. If links are dead, search threat intelligence platforms for captured samples. The debug version of the kit revealed internal exploit names and the framework name – prioritize obtaining that variant.
Step 4: Decrypt and Extract Components
The Coruna kit may be encrypted or obfuscated. Use dynamic analysis to decrypt payloads as they execute, or find decryption keys in public reports. Extract all components: the kernel exploits, userland payloads, and configuration files. Document the file hashes and structure.
Step 5: Analyze the Kernel Exploit for CVE-2023-32434 and CVE-2023-38606
Focus on the kernel exploit that targets these two vulnerabilities. Disassemble the binary and compare it to the known exploit code from Operation Triangulation. Look for code similarities: identical function names, constants, exploitation primitives, and patch bypasses. Note that Kaspersky found Coruna’s version is an updated version of the Triangulation exploit. Identify the differences (e.g., updated offsets, new bypasses) and how they relate to later iOS versions.
Step 6: Examine the Four Additional Kernel Exploits
Coruna includes four kernel exploits not seen in Operation Triangulation. Two of these were developed after the discovery of Triangulation. For each exploit, document the vulnerability (CVE if known), target iOS version, exploitation technique, and code structure. Look for shared code across all exploits—common libraries, utility functions, or a unified exploit framework architecture. This indicates the kit was not patchworked but designed cohesively.
Step 7: Compare Code Across Components
Beyond kernel exploits, analyze other components of Coruna (e.g., persistence, privilege escalation, data exfiltration). Use a diffing tool to compare code fragments with those in the kernel exploits. Shared strings, function prologues, or error-handling routines reveal the same development team. Kaspersky noted that code similarities from kernel exploits appear in other Coruna components, reinforcing the unified framework conclusion.
Step 8: Reconstruct the Attack Chain
Based on your analysis, map out the Coruna attack chain. Compare it to the simplified diagram provided in the original reports (highlighting the shared kernel exploit in red). Note how the delivery mechanism (e.g., watering-hole, spear-phishing) and payload differ from Operation Triangulation. Document the timeline: the zero-days were first used in Triangulation, then later integrated into Coruna along with newer exploits.
Step 9: Draw Conclusions and Report Findings
Summarize that Coruna is not a one-off kit but an evolution of the same framework used in Operation Triangulation. Support this with evidence of shared code, updated exploits, and the developer’s internal naming. Publish your findings to the security community, referencing both Kaspersky’s and Google’s work. Include indicators of compromise (IoCs) to help others detect the kit.
Tips
- Use a sandbox with internet simulation: Coruna may phone home; control network traffic to avoid alerting threat actors.
- Maintain a versioned repository: Store all samples and analysis notes with timestamps to track exploit evolution.
- Coordinate with vendors: If you discover new vulnerabilities, responsibly disclose them (e.g., via Apple’s security program).
- Leverage community tools: Use YARA rules developed for Operation Triangulation to detect similar code in Coruna.
- Document edge cases: The debug version may contain extra metadata; preserve it for attribution.