Inside Coruna: The Exploit Framework Behind Operation Triangulation

In early March 2026, Google and iVerify unveiled a highly advanced exploit kit targeting Apple iPhones. Dubbed Coruna by its developers, this toolkit was initially used by a client of an unnamed surveillance vendor before spreading to watering‑hole attacks in Ukraine and financially motivated campaigns in China. Analysis revealed its deep connection to Operation Triangulation—a sophisticated mobile APT campaign first detected by Kaspersky researchers in 2023. The following Q&A explores the origins, technical details, and implications of the Coruna framework.

1. What is Coruna and how was it discovered?

Coruna is the internal name for an exploit kit framework used in targeted iOS attacks. It was uncovered when researchers found a debug version of the kit that exposed its component names. Google and iVerify published reports on March 4, 2026, describing a customer of an unnamed surveillance vendor using the kit. Later, it appeared in watering‑hole attacks in Ukraine and financial scams in China. The debug instance revealed the term Coruna as the framework moniker. Subsequent analysis by Kaspersky’s GReAT team showed that some distribution links remained active, allowing them to collect, decrypt, and study every part of the kit.

2. How does Coruna relate to Operation Triangulation?

Operation Triangulation is a long‑running iOS spyware campaign discovered by Kaspersky in 2023. It used multiple zero‑day exploits, including CVE‑2023‑32434 and CVE‑2023‑38606. The Coruna framework, as it turns out, contains an updated version of the same kernel exploit used in Triangulation. While Triangulation was a targeted APT, Coruna is an exploit kit that repurposes similar techniques for broader attacks. The codebase shows a unified design, not a patchwork of borrowed exploits, suggesting the same development team behind both operations.

3. What vulnerabilities does Coruna exploit?

Coruna leverages a chain of previously patched bugs along with two zero‑day vulnerabilities: CVE‑2023‑32434 and CVE‑2023‑38606. These flaws were first seen in Operation Triangulation. They allow attackers to achieve kernel‑level code execution and bypass iOS security mechanisms. The exploit kit also includes four additional kernel exploits not observed in Triangulation; two of them were developed after the original campaign was discovered. All exploits share common code and are built on the same framework, indicating a cohesive engineering effort.

4. What makes Coruna’s kernel exploit unique?

The kernel exploit for CVE‑2023‑32434 and CVE‑2023‑38606 in Coruna is not a copy of the one used in Operation Triangulation—it is an evolved version. Code comparisons show shared functions and logic, but with refinements that improve reliability and compatibility. The exploit uses a unified framework that also appears in other Coruna components, suggesting the entire kit was designed by the same team rather than assembled from disparate sources. This level of integration is uncommon in public exploit kits and points to a well‑funded, highly skilled development group.

5. How was the Coruna kit analyzed?

After Google’s report, some of the exploit kit distribution links remained accessible. Kaspersky researchers seized this opportunity to download, decrypt, and dissect every component. They found encryption keys within the debug build, which unlocked the full payload. The analysis revealed not only the exploit code but also the framework’s internal naming scheme and structure. By comparing the code to known samples from Operation Triangulation, they confirmed the shared ancestry. The active links also allowed them to monitor how the kit evolved over time.

6. What additional exploits does Coruna include beyond those in Triangulation?

Coruna contains four kernel exploits that were absent from Operation Triangulation. Two of these were developed after the Triangulation campaign was publicly revealed, indicating active research and development. All four are built on the same framework and share common code with the older exploits. This suggests the developers continuously refine their toolkit. The presence of these additional exploits gives Coruna a broader attack surface, allowing it to target a wider range of iOS versions and configurations.

7. What does the Coruna framework reveal about its creators?

The unified codebase and continual updates point to a professional, well‑organized team rather than a one‑time patchwork. The fact that the framework first appeared in surveillance‑vendor hands and later in criminal campaigns suggests it may be licensed or sold. The debug version discovery also hints at possible internal testing shortcuts. Overall, Coruna represents a new generation of commercial‑grade iOS exploit kits, raising the bar for mobile threat actors and forcing defenders to accelerate patch deployment.