Skip to main content
Emerging ThreatsMalware & Ransomware

Kaspersky Uncovers Coruna Exploit Kit Linked to Operation Triangulation

Person in shadows holds smartphone and laptop, surrounded by ghostly triangles and geometric shapes, evoking cyber threat…

What happens when a piece of offensive code is repurposed and aimed at a new class of devices? That question lies at the center of a short but consequential finding published by Kaspersky’s Global Research and Analysis Team (GReAT): an exploit once identified in an operation called Operation Triangulation has been updated and incorporated into a toolkit now targeting iPhones.

The discovery

Kaspersky GReAT analysts investigated an exploit kit known as Coruna that is designed to target iPhones. In their analysis they determined that the kernel exploit used to exploit two tracked vulnerabilities — CVE-2023-32434 and CVE-2023-38606 — is an updated version of the exploit framework previously associated with Operation Triangulation. That observation links the new Coruna kit directly to an earlier, established exploit framework.

Relevant background from the investigators

The key facts, as reported by Kaspersky GReAT, are simple and specific: the investigators examined Coruna, identified its target platform as iPhones, and concluded the kernel exploit for CVE-2023-32434 and CVE-2023-38606 derives from an updated Operation Triangulation exploit. Those are the elements the analysts have laid out as the foundation for understanding Coruna’s tooling.

Why this matters

  • For technologists: The finding demonstrates that exploit code can be maintained and revised across different toolsets. Tracing a kernel exploit from Coruna back to Operation Triangulation provides a technical linkage that can inform detection, forensics and defensive research.
  • For policymakers and defenders: The reuse and updating of an identified exploit framework underscores the value of public, technical analysis. When researchers can map current threats to known frameworks, it strengthens the basis for prioritized mitigation and information-sharing decisions.
  • For users: The report highlights that iPhones were the stated target in this instance. Awareness of the specific vulnerabilities cited — CVE-2023-32434 and CVE-2023-38606 — gives users and administrators a concrete reference point for their own inquiries and actions.
  • For adversaries and analysts: The evolution of an exploit across operations suggests a continuing lifecycle for sophisticated tools — adaptation rather than one-off use — which shapes expectations about how offensive capabilities may be redeployed.

What to watch next

Kaspersky GReAT’s identification of an updated Operation Triangulation exploit inside Coruna is a technical waypoint: it connects past research to a present threat. Going forward, attention will naturally concentrate on further forensic detail, any confirmation or mitigation published by relevant vendors or incident responders, and additional analysis that either corroborates or refines the linkage between these toolsets. Observers should track follow-up disclosures and technical write-ups that expand on the GReAT findings.

The pattern here is unmistakable even in a brief report: exploit frameworks can persist and be refitted to new targets. How defenders respond to that persistence will shape whether such updates become more disruptive — or merely another footnote in the cycle of discovery and defense.

https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/