Kaspersky GReAT experts look into the Coruna exploit kit targeting iPhones. We discovered that the kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the Operation Triangulation exploit.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Kaspersky GReAT researchers analyzed the Coruna exploit kit targeting iPhones, discovered by Google and iVerify in March 2026. The kit exploits multiple patched iOS vulnerabilities and was found to contain a kernel exploit for CVE-2023-32434 and CVE-2023-38606 that is a direct updated version of the exploit used in Operation Triangulation. The framework includes five kernel exploits sharing common code and a unified architecture, with updates adding support for iOS 17.2 and Apple A17/M3 processors. Originally used for nation-state cyber-espionage, Coruna has since been adopted by financially motivated attackers and used in watering-hole attacks in Ukraine and China. Kaspersky urges users to install the latest iOS security updates immediately.

Coruna framework: an exploit kit and ties to Operation Triangulation