Kaspersky Details Coruna Exploit Kit Behind Operation Triangulation

Executive Summary

Kaspersky's Global Research and Analysis Team (GReAT) has published a detailed technical breakdown of the Coruna exploit framework, the core malware platform used in the long-running Operation Triangulation campaign targeting iOS devices. The analysis reveals that the kernel exploits leveraged by Coruna are updated versions of two previously documented vulnerabilities — CVE-2023-32434 and CVE-2023-38606 — adapted to bypass Apple's latest mitigations. Coruna delivers its payload via zero-click iMessage exploits, granting attackers full device compromise without user interaction. The framework has been active for several years and continues to evolve, according to Kaspersky researchers.

Technical Analysis

Kaspersky GReAT analysts identified that the Coruna framework employs a modular architecture, with the kernel exploit component being a refined iteration of the same technique used in earlier Operation Triangulation attacks. The updated exploit for CVE-2023-32434, an integer overflow vulnerability in the XNU kernel, now incorporates additional anti-analysis checks and memory corruption primitives that evade existing detection signatures. Similarly, the exploit for CVE-2023-38606, a hardware-level memory mapping issue in Apple's GPU driver, has been modified to bypass the kernel address space layout randomization (KASLR) protections introduced in iOS 16.5.

Coruna's delivery chain begins with a malicious iMessage attachment that triggers a remote code execution in the iOS kernel without any user click. Once the kernel is compromised, the framework deploys a persistent implant that communicates with command-and-control servers using encrypted custom protocols. Kaspersky noted that the framework includes a self-destruct mechanism that erases forensic artifacts after exfiltration, making attribution and recovery challenging.

Kaspersky's report emphasizes that Coruna is not a single malware strain but a framework — a collection of interchangeable exploit modules, persistence mechanisms, and data-stealing components. The researchers observed that the framework's codebase shows signs of continuous development, with versioning and feature updates that suggest a dedicated development team. The analysis did not attribute the framework to a specific nation-state, but the sophistication and operational security align with advanced persistent threat groups.

Mitigations & Recommendations

Apple has patched both CVE-2023-32434 and CVE-2023-38606 in iOS updates released in 2023. Organizations should verify that all managed iOS devices are running the latest iOS version. Defenders should monitor for anomalous iMessage activity, particularly unsolicited messages from unknown senders that trigger unexpected device behavior. Kaspersky recommends implementing network-level detection for C2 communication patterns associated with the Coruna framework, though specific IOCs were not publicly disclosed in the report.