A sophisticated iOS exploit kit known as Coruna has been confirmed to share the same kernel exploit code used in the 2023 Operation Triangulation espionage campaign, according to new research published by Kaspersky. The discovery has alarmed the global cybersecurity and information security community, as a tool once reserved for precision state-sponsored surveillance has now evolved into a mass attack framework actively targeting millions of everyday iPhone users. The Coruna kit contains five complete iOS exploit chains and 23 individual exploits, including two zero-day vulnerabilities first weaponised in Operation Triangulation. Security researchers warn that this marks a dangerous new phase in mobile digital security threats where elite nation-state tools are now being deployed indiscriminately against ordinary people.
Affected products
- ·Apple iPhone — iOS 13.0 through iOS 17.2.1
How to Fix
Step-by-step remediation
- 1Update iOS immediately. Go to Settings → General → Software Update and install the latest available iOS version without delay. This single action closes the vulnerabilities exploited by the Coruna kit and is the most effective protection available right now.
- 2Enable Automatic Updates. Go to Settings → General → Software Update → Automatic Updates and turn on both Download iOS Updates and Install iOS Updates. This ensures your device patches itself automatically without requiring manual action every time Apple releases a security update.
- 3Avoid unfamiliar websites on Safari. Since the Coruna attack is triggered entirely through a compromised website visit with zero user interaction required beyond loading the page, avoiding suspicious or unfamiliar URLs on Safari significantly reduces your exposure while your device is being updated.
- 4Enable Lockdown Mode for high-risk users. If you are a journalist, executive, government employee, activist, or anyone likely to be individually targeted, enable Lockdown Mode under Settings → Privacy and Security → Lockdown Mode. This significantly reduces the attack surface available to exploit kits like Coruna.
- 5Enterprise teams should audit MDM immediately. Use your mobile device management platform to identify all devices running iOS 13.0 through 17.2.1. Restrict any unpatched device from accessing corporate networks, email, and internal resources until the latest iOS update is confirmed installed across the fleet.
- 6Monitor for signs of compromise. Unexpected battery drain, unexplained background data usage, sudden performance degradation, or unusual network activity on a device that recently visited an unfamiliar website may indicate active malware. If you suspect compromise, perform a full factory reset after backing up your data securely through iCloud or iTunes.
What happened
Coruna is an advanced iOS exploit kit first documented by Google and iVerify in March 2026. It targets Apple iPhone models running iOS versions between 13.0 and 17.2.1 and contains 23 individual exploits across five complete exploit chains. Among these are CVE-2023-32434 and CVE-2023-38606 — both originally deployed as zero-day vulnerabilities during the 2023 Operation Triangulation campaign, widely considered one of the most sophisticated iPhone attacks ever recorded in computer security history.
The most significant finding from Kaspersky's latest research is that the kernel exploits found inside both Coruna and Operation Triangulation were created by the same developer. According to Boris Larin, principal security researcher at Kaspersky GReAT, all exploits within the Coruna framework are built on an identical kernel exploitation framework and share substantial common code with the original Triangulation campaign tools.
The exploit code includes active support for Apple's A17, M3, M3 Pro, and M3 Max processors along with checks for iOS 17.2 and iOS 16.5 beta 4 — confirming that the original developers are actively maintaining and expanding this codebase in 2026. This level of sustained development is a clear signal of a well-resourced, persistent threat actor operating at the highest levels of internet security and data security compromise. When Coruna was first reported, public evidence was insufficient to directly link it to Triangulation based on shared vulnerabilities alone. The new Kaspersky analysis provides the definitive technical proof of shared authorship that the information security community had been waiting for.
The attack chain begins the moment a user visits a compromised website on Safari. A silent stager immediately fingerprints the browser and operating system and serves the most appropriate exploit from its library. Once delivered, a payload triggers the kernel exploit chain, executes Mach-O loaders and a malware launcher, drops the final implant, and then cleans up all forensic artifacts to eliminate evidence of the intrusion — a sophisticated network security evasion technique that makes detection and attribution extremely difficult.
Real-World Impact
Coruna has already been actively deployed by multiple threat actors across the cyber attack landscape. A Russia-aligned nation-state actor has used the kit in watering hole attacks targeting organisations and individuals in Ukraine. Separately, criminal groups have deployed it through a cluster of fake Chinese gambling and cryptocurrency websites to deliver a data-stealing malware strain known as PlasmaLoader, also tracked as PLASMAGRID, which silently harvests sensitive user data from compromised devices.
The shift from espionage tool to mass exploitation framework is the critical development here. Any iPhone running iOS 13.0 through 17.2.1 without the latest security patch is potentially exposed. Given that millions of devices globally continue to run older iOS versions due to older hardware, neglected updates, or organisational policy, the attack surface is enormous. Enterprise environments are at particular risk where unmanaged or under-patched personal devices access corporate networks, creating severe data security and computer security vulnerabilities that extend far beyond individual users.
Compounding this threat, the DarkSword iOS exploit kit was leaked publicly on GitHub during the same week, further lowering the barrier for less sophisticated cybercriminals to compromise Apple devices at scale. What was once an exclusive capability requiring nation-state resources is now rapidly becoming accessible to a much broader criminal ecosystem.
🛡️ Prevention Tips
Always keep your iPhone updated to the latest iOS version as Apple releases security patches specifically to close vulnerabilities like those exploited in the Coruna kit. Enable automatic updates under Settings → General → Software Update → Automatic Updates so your device patches itself without requiring manual action. Be cautious about every link you tap and every website you visit on Safari — watering hole attacks rely on you visiting a compromised page without knowing it is dangerous. Avoid clicking links in unsolicited messages, emails, or social media posts that take you to unfamiliar websites. Organisations should enforce mandatory update policies across all employee mobile devices and consider mobile threat defence solutions that monitor for exploit activity at the network and device level. Regularly review which apps have access to sensitive permissions and revoke anything that does not need them.
FAQs
What is the Coruna iOS exploit kit?
Coruna is a sophisticated iOS exploit kit containing 23 exploits and 5 full exploit chains that targets iPhones running iOS 13.0 through 17.2.1. Kaspersky has confirmed it was built by the same developer behind the 2023 Operation Triangulation espionage campaign and is now being used in mass cybersecurity attacks against everyday iPhone users.
Am I at risk from the Coruna iOS exploit?
If your iPhone is running iOS 13.0 through iOS 17.2.1 and has not been updated to the latest available version, you are potentially at risk. The attack is delivered silently through a compromised website visit on Safari with no user interaction required beyond simply visiting the page.
How do I protect my iPhone from the Coruna exploit kit?
Update your iPhone to the latest iOS version immediately by going to Settings → General → Software Update. This is the most effective protection. Also avoid visiting unfamiliar websites on Safari and consider enabling Lockdown Mode if you believe you may be a targeted individual.
Read Next
android · sideloading
Google's 24-Hour Android Sideloading Wait: What It Means for You and Why It Exists
darksword · ios
DarkSword iOS Exploit Kit: 6 Vulnerabilities, 3 Zero-Days, Full iPhone Takeover — 221 Million Devices Still at Risk
microsoft · patch tuesday
Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes
adobe reader · zero day
Adobe Reader Zero-Day Actively Exploited via Fake Invoice PDFs — No Patch Available Yet
apple · ios