In March 2026, Google and iVerify revealed a highly advanced exploit kit targeting iPhones, later named Coruna. This framework was first used in attacks by a surveillance vendor's customer, then in watering-hole campaigns in Ukraine and financially motivated attacks in China. Notably, Coruna shares a direct lineage with the infamous Operation Triangulation, a sophisticated APT campaign discovered by Kaspersky researchers. By analyzing live distribution links, Kaspersky's GReAT team unpacked Coruna's components and found that its kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the one used in Operation Triangulation. This Q&A explores the framework's origins, exploits, and significance.
What is Coruna and how was it discovered?
Coruna is the internal name for a sophisticated exploit kit targeting Apple iOS devices. It was first publicly described in reports by Google and iVerify on March 4, 2026. The kit was initially used in targeted attacks by a customer of an unnamed surveillance vendor. Later, it appeared in watering-hole attacks in Ukraine and financially motivated attacks in China. Researchers discovered a debug version of Coruna, which revealed its internal exploit names and the framework moniker 'Coruna.' This debug build allowed security teams to trace the kit's origins and understand its construction. Kaspersky's experts obtained live distribution links that were still active when the Google report was published, enabling them to collect and decrypt the complete Coruna payload. Analysis showed that Coruna relies on several patched vulnerabilities along with two zero-day exploits—CVE-2023-32434 and CVE-2023-38606—which were first observed in Operation Triangulation.
How does Coruna relate to Operation Triangulation?
Operation Triangulation is a complex mobile APT campaign discovered by Kaspersky researchers while monitoring their corporate Wi-Fi network. The campaign used multiple zero-day exploits and a sophisticated spyware implant. Kaspersky disclosed their findings over six months and presented them at the 37th Chaos Communication Congress (37C3). The two vulnerabilities CVE-2023-32434 and CVE-2023-38606 were first exploited as zero-days in Operation Triangulation. When analyzing Coruna, Kaspersky found that the kernel exploit for these vulnerabilities was essentially an updated version of the same exploit used in Operation Triangulation. The attack chains of both operations share striking similarities—the kernel exploitation framework and common code appear in both. This led researchers to conclude that Coruna is not a patchwork of different exploits but a unified, evolved version of the same framework used in the Triangulation campaign.
What vulnerabilities does Coruna exploit?
Coruna exploits a combination of previously patched vulnerabilities and two critical zero-days: CVE-2023-32434 and CVE-2023-38606. CVE-2023-32434 is an iOS kernel issue that allows arbitrary code execution with kernel privileges. CVE-2023-38606 is a separate kernel vulnerability also leading to privilege escalation. Both were initially discovered as zero-days in Operation Triangulation. By the time Coruna was analyzed, these CVEs had been patched by Apple, but attackers used them against unpatched devices. The exploit kit also includes other kernel exploits for older vulnerabilities, two of which were developed after the discovery of Operation Triangulation. This indicates that the framework's developers continuously updated their arsenal. The kernel exploitation framework underlying these exploits shares common code across all components, reinforcing the conclusion that Coruna is a cohesive, actively maintained toolkit rather than a repackaged collection of disparate exploits.
What makes Coruna's kernel exploit unique?
The kernel exploit for CVE-2023-32434 and CVE-2023-38606 in Coruna is not a fresh development—it is an updated version of the exact exploit used in Operation Triangulation. This continuity is significant because it shows that the same threat actors or group likely maintained and improved the exploit over time. Unlike many exploit kits that stitch together code from different sources, Coruna's kernel exploit shares a common codebase with other exploits in the kit. Forensic analysis revealed code similarities not only in the kernel exploits but also in other components of Coruna. This unified approach suggests a professional development team with a long-term strategy. The debug version of Coruna, which leaked the internal names, further confirmed that all exploits were built on the same framework. The exploit's evolution includes refinements to evade newer mitigations and target additional iOS versions, making it a persistent threat even after the original Triangulation campaign was exposed.
What additional exploits are included in Coruna?
Beyond the two zero-days from Operation Triangulation, Coruna contains four additional kernel exploits that were not seen in the earlier campaign. Two of these exploits were developed after Kaspersky's discovery of Operation Triangulation, indicating active development. All these exploits are built on the same kernel exploitation framework and share common code. The presence of multiple exploits for different iOS versions makes Coruna versatile—attackers can choose the best exploit for their target's device state. The exploit kit also includes non-kernel components such as privilege escalation modules and payload delivery mechanisms. By analyzing the decrypted payloads from live distribution links, researchers identified these extra exploits and mapped their relationships within the framework. The code reuse and architectural consistency across all exploits confirm that Coruna is not a collection of random tools but a professionally engineered weapon system.
How were the Coruna components collected and analyzed?
When Google's report was published, some distribution links for Coruna were still active. Kaspersky researchers immediately collected the payloads from these links. They then decrypted and disassembled the components. The availability of a debug version of the exploit kit was a major boon—it contained internal naming conventions and framework identifiers, including the name 'Coruna' itself. By analyzing the code, researchers discovered code similarities across kernel exploits and other components, which pointed to a unified framework. They also compared the exploit code with their own samples from Operation Triangulation, confirming that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 was an updated version. The analysis process involved reverse engineering, static code analysis, and dynamic testing in sandboxed environments. The findings were published in a detailed report, highlighting the evolution of the exploitation framework.
What conclusions were drawn about Coruna's development?
Kaspersky researchers concluded that Coruna is not a patchwork of independently developed exploits but a unified exploit kit designed with a coherent approach. The shared kernel exploitation framework and common code across all components—from kernel exploits to other modules—indicate a single development team or threat group. The fact that the same kernel exploit for CVE-2023-32434 and CVE-2023-38606 was used in both Operation Triangulation and Coruna, but in an updated form, suggests that the developers actively maintained and improved their toolkit. Additionally, the inclusion of new exploits developed after the Triangulation campaign shows that the framework is continuously evolving. Researchers assume that Coruna is essentially an updated version of the same exploitation framework used in Operation Triangulation, possibly by the same vendor or group. This unity of design makes Coruna a more dangerous threat because all components work seamlessly together, increasing reliability and reducing the likelihood of detection.