The Return of Operation Triangulation: Coruna Exploit Kit Targets M3 and A17 Chips in Massive iOS Offensive

On March 4, 2026, reports from Google and iVerify shed light on Coruna, a highly sophisticated exploit kit targeting Apple iPhones. While such advanced tools are usually reserved for elite surveillance vendors, Coruna has been spotted in the wild being used for everything from watering-hole attacks in Ukraine to financially motivated hits in China.

Researchers at Kaspersky have now completed a deep dive into the framework, revealing a unified, modular design that poses a significant threat to any unpatched iOS device.

Analysis revealed that the kit’s kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the same code used in the infamous Operation Triangulation.

“Analysis of the kit showed that it relies on the exploitation of many previously patched vulnerabilities and also includes exploits for CVE-2023-32434 and CVE-2023-38606… these two vulnerabilities particularly caught our attention because they had been first discovered as zero-days used in Operation Triangulation”.

While those vulnerabilities were patched in 2023, the Coruna framework has been recompiled and updated to support newer Apple hardware, including the A17, M3, M3 Pro, and M3 Max chips.

The Coruna kit is not a “patchwork” of different tools; it is a “unified approach” designed for efficiency and stealth. The attack generally follows this path:

• Fingerprinting: A stager identifies the victim’s browser version to select the perfect remote code execution (RCE) exploit.
• The Payload: Once an exploit triggers, a payload is downloaded and decrypted using the ChaCha20 stream cipher.
• Multi-Stage Unpacking: The malware uses a series of custom containers with unique magic numbers to hide its components:
  • 0xBEDF00D: LZMA-compressed data.
  • 0xF00DBEEF: A file storage container used to retrieve files by their IDs.
• Kernel Exploitation: The kit includes at least five kernel exploits, four of which were never seen in the original Operation Triangulation campaign.

Once the kernel is compromised, a Launcher component takes over to manage post-exploitation activities. It is designed to be highly efficient: rather than re-attacking the system, it reuses special kernel objects created during the initial exploit to read and write to kernel memory.

The Launcher’s final tasks include:

• Cleaning up “exploitation artifacts” to hide the intrusion.
• Injecting a stager into a target process.
• Launching the final spyware implant.

The transition of this exploitation framework from “cyber-espionage purposes” to the broader cybercriminal world puts millions at risk. Because the kit is so modular and easy to reuse, security experts expect more threat actors to adopt it soon. “We strongly recommend that users install the latest security updates as soon as possible, if they have not already done so,” the report concludes. If you are running an unpatched version of iOS, you are an open target for one of the most sophisticated exploit kits ever discovered.