MalwareExploits 2 CVEs

Operation Triangulation

Operation Triangulation is a sophisticated long-running iOS espionage campaign first publicly disclosed by Kaspersky in 2023. The campaign has reportedly been active since 2019 and targets Apple mobile devices, including iPhones, by delivering malicious iMessages with attachments that trigger exploitation without requiring user interaction. Reporting in the provided content describes it as a four-year spying operation that affected thousands of individuals in Russia, including dozens of senior Kaspersky employees, as well as diplomatic missions and embassies in Russia.

The operation used a sophisticated spyware implant together with multiple zero-day exploits. The content specifically states that CVE-2023-32434 and CVE-2023-38606 were used as zero-days in the campaign, and later research linked those vulnerabilities and the related Coruna exploit framework to Operation Triangulation. Researchers assessed that Coruna is an updated version of at least part of the same exploit framework used in Operation Triangulation, with shared code and an updated kernel exploit chain. Public reporting cited in the content also says Google linked two vulnerabilities associated with Coruna to Operation Triangulation.

Kaspersky discovered the campaign while monitoring suspicious traffic from iOS devices on its corporate Wi‑Fi network and later presented investigation results at the 37th Chaos Communication Congress. The campaign is consistently characterized in the content as an advanced persistent threat operation focused on espionage against iOS devices. Attribution remains unconfirmed in the provided material: the Russian government and FSB blamed the United States/NSA and alleged Apple collusion, but Apple denied those claims, and Kaspersky did not attribute Operation Triangulation to any government or known threat group.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2023-32434Kernel privilege escalation via integer overflow in Apple iOS/watchOS/macOS

«Операция Триангуляция» — это сложная APT-кампания, направленная на мобильные устройства на базе iOS... в этой кампании был задействован сложный шпионский имплант и множество эксплойтов нулевого дня.

via securelist rusecurelist.ru

CVE-2023-38606Apple kernel sensitive state modification / PPL bypass in iOS and macOS

via securelist rusecurelist.ru

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence1

That campaign, dubbed Operation Triangulation by Russian cybersecurity company Kaspersky, targeted victims through malicious iMessages and is believed to have operated for several years.

Credential Access

1 technique

T1528Steal Application Access TokenEvidence1

That campaign, dubbed Operation Triangulation by Russian cybersecurity company Kaspersky, targeted victims through malicious iMessages and is believed to have operated for several years.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

dark readingNews

Mar 26, 2026

Coruna, DarkSword & Democratizing Nation-State Exploit Kits

A spyware campaign/malware cluster targeting iOS devices in a long-running espionage operation affecting individuals in Russia, including Kaspersky employees and diplomatic entities. The article states Coruna appears to be an outgrowth of the malware used in this campaign.

securelist ruNews

Mar 26, 2026

Фреймворк Coruna: набор эксплойтов и его связь с "Операцией Триангуляция" | Securelist

Шпионский имплант/цепочка эксплуатации для iOS, использовавшая множество zero-day эксплойтов. В материале указано, что один из эксплойтов ядра в Coruna является обновленной версией эксплойта, применявшегося в этой кампании.

vulnuNews

Mar 16, 2026

US Military Contractor Likely Built iPhone Hacking Tools Used By Russian Spies in Ukraine

A sophisticated iPhone hacking campaign previously targeting Russian users, linked by researchers to two vulnerabilities associated with the Coruna toolkit.

the record mediaNews

Aug 5, 2024

New Android spyware is tracking Russian victims, researchers say | The Record from Recorded Future News

Espionage malware/campaign targeting Apple devices via iMessages with malicious attachments and exploiting two vulnerabilities. It has been active since 2019 and was described as an extremely complex, professionally targeted cyberattack.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.