KASPERSKY researchers have found that the Coruna iOS exploit kit uses an updated version of the same kernel exploit seen in the 2023 Operation Triangulation campaign, suggesting a possible link between the two developments. In early March, Google’s Threat Intelligence Group identified Coruna (also known as CryptoWaters) targeting iPhones on iOS 13.0 through 17.2.1, with five full exploit chains and a total of 23 exploits, though it is ineffective against the latest iOS release, according to Google.
The kit’s architecture includes a Safari-based stager to select exploits, and the payload decrypts with ChaCha20 and LZMA, revealing layered containers that determine which exploits, loaders and implants to fetch based on device type, CPU and iOS version. Researchers note that one kernel exploit is an updated variant of Triangulation, adding compatibility for newer iOS versions up to 17.2 and recent Apple chips such as the A17 and M3, with checks designed to support newer exploits built on the same framework.
According to Kaspersky’s report, the findings point to a unified, modular exploitation framework now being leveraged by multiple threat actors.