- The recently uncovered iOS exploit kit Coruna uses an updated version of the kernel exploit framework from the 2023 Operation Triangulation espionage campaign.
- The framework now includes checks for newer Apple M3 processors and iOS versions, showing it is actively maintained and expanded.
- The same authors’ elite espionage tool is now being used indiscriminately in mass exploitation campaigns by suspected Russia-aligned actors.
- Separately, a new version of the iPhone exploit kit DarkSword has been publicly leaked, potentially enabling more threat actors.
In March 2026, security researchers revealed that the advanced Apple iOS exploit framework Coruna, now used in mass attacks, is a direct evolution of the previously exclusive espionage tool used in Operation Triangulation. Kaspersky found its kernel exploit is an updated version of the same code used in the 2023 campaign, according to new findings. Consequently, this demonstrates how sophisticated state-level hacking tools can trickle down to broader criminal use. Boris Larin, principal security researcher at Kaspersky GReAT, stated “What began as a precision espionage tool is now deployed indiscriminately.”
The framework contains five full iOS exploit chains and twenty-three exploits, including vulnerabilities CVE-2023-32434 and CVE-2023-38606. However, Kaspersky confirmed the shared authorship because the code includes support for Apple’s A17, M3, M3 Pro, and M3 Max processors. It also contains checks for iOS 17.2 and version 16.5 beta 4, which patched the original Triangulation vulnerabilities.
Coruna was first documented targeting iPhone models running iOS 13.0 to 17.2.1. Meanwhile, it has been leveraged in watering hole attacks in Ukraine and via fake Chinese gambling and cryptocurrency websites. These sites deliver a data-stealing malware known as PlasmaLoader (aka PLASMAGRID).
The attack starts when a user visits a compromised website on Safari. A stager then fingerprints the browser and serves the appropriate exploit based on the system version. This paves the way for a payload that triggers the kernel exploit and executes post-exploitation activities.
Separately, a leaked new version of the iPhone exploit kit DarkSword on GitHub, first reported by TechCrunch, raises concerns. This leak could equip more threat actors with advanced capabilities, as noted by reports. Ultimately, these developments show elite hacking frameworks are becoming accessible for mass exploitation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
