Operation Triangulation is a targeted iOS spyware campaign discovered by Kaspersky on its own network and publicly disclosed in 2023. Kaspersky reported that multiple Apple iPhones and other iOS devices across its premises worldwide had been infected since at least 2019. The malware is described as espionage-oriented and associated with a zero-click exploit chain delivered through iMessage, exploiting flaws in iMessage attachment processing to achieve code execution without user interaction, escalate privileges, download additional payloads, execute commands, and collect information from infected devices. Kaspersky linked CVE-2023-38606 to the exploit chain used to deploy the spyware on iPhones, and reporting also references Apple fixes for exploited zero-days relevant to the chain.
Kaspersky identified forensic traces associated with the campaign, including a process referring to itself as "BackupAgent" running around the time of compromise and consuming mobile data. Kaspersky released detection utilities named Triangle Check / triangle_check to analyze iOS backups for indicators of compromise, with results such as DETECTED or SUSPICION. Because of iOS security protections, the tooling analyzes backups rather than live devices. Kaspersky cautioned that negative results are not definitive because analysis is ongoing and newer variants may exist.
The campaign has been linked in reporting by the Russian FSB to infections involving high-ranking Russian government officials and foreign diplomats, but public attribution remains unresolved. Kaspersky’s published findings support the existence of a real intrusion campaign, while the exact origin, orchestrators, and full victimology remain unknown in the provided content. The campaign is consistently discussed alongside other mercenary or state-grade mobile spyware such as Pegasus, Predator, Reign, and Graphite, and ANSSI cites Triangulation as an example of a sophisticated zero-click mobile threat.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2023-38606 is part of a zero-click exploit chain used to deploy Triangulation spyware on iPhones via iMessage exploits, according to Kaspersky GReAT lead security researcher Boris Larin.
9 distinct techniques documented for this family, organized by ATT&CK tactic.
the 'Operation Triangulation' malware campaign uses an unknown zero-day exploit on iMessage to perform code execution without user interaction and elevated privileges.
Messaging apps are a royal road onto devices... this attack appears to leverage a flaw in a messaging app. Past NSO attacks have exploited flaws in iMessage attachment processing... as well as flaws in WhatsApp’s negotiation of end-to-end encryption for video calls.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Spyware campaign/tool referenced as one of several known spyware types ruled out in the analyzed iPhone case.
A mobile attack chain referenced by ANSSI as an example of advanced smartphone compromise, including zero-click exploitation scenarios.
A spyware platform deployed to iPhones via a zero-click iMessage exploit chain, leveraging (at least) a kernel vulnerability (CVE-2023-38606) as part of the chain.
iOS malware used in a targeted espionage campaign. It reportedly exploits an unknown zero-day in iMessage for zero-click code execution, gains elevated privileges, downloads additional payloads, enables further command execution, and collects information from infected devices.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.