Photon

Photon is an internal exploit name associated with the Coruna iOS exploit framework and previously linked to Operation Triangulation. Reporting states that Coruna reused Photon and Gallium as zero-day exploits in Triangulation, and Google researchers said these names were used by the original developers. Photon has been linked by researchers to CVE-2023-32434, described as a privilege-escalation vulnerability involving an integer overflow in memory mapping, affecting iOS 14.5 through 15.7.6. In the broader Coruna framework, Photon was part of tooling used to compromise Apple iPhones across iOS 13 through 17.2.1, alongside WebKit exploitation, sandbox escape, privilege escalation, and Page Protection Layer bypass techniques. Coruna was reportedly used in 2025 across multiple actor ecosystems: initially in highly targeted operations, then by the Russian espionage cluster UNC6353 in watering-hole attacks against Ukrainian iPhone users via compromised Ukrainian websites and geofenced delivery, and later by the China-linked financially motivated cluster UNC6691 in fraudulent cryptocurrency and financial-site campaigns. Supporting reporting also notes alleged links between Coruna and L3Harris Trenchant-origin tooling, but attribution remains cautious; Kaspersky stated that shared use of Photon and Gallium alone is insufficient to attribute Operation Triangulation to a specific actor or exploit developer because vulnerability details later became public.