Operation Triangulation Used Four Zero-Days to Spy on iPhones
Researchers disclosed Operation Triangulation, an iPhone espionage campaign that infected devices through iMessage and deployed a sophisticated spyware implant on iOS. Reporting tied the operation to a chain of four zero-day vulnerabilities, including flaws in Apple’s processing of messages and a hardware-based feature that enabled attackers to bypass protections that were largely undocumented outside Apple. Kaspersky said the malware targeted iPhones used by its employees, while later technical analysis and conference presentations detailed how the implant gained code execution, escalated privileges, and maintained stealth on compromised devices.
The campaign quickly drew geopolitical attention after Russian authorities accused Apple of cooperating with the NSA in the spying operation, an allegation that was widely reported but not substantiated by public technical evidence. Subsequent coverage focused on the exploit kit sometimes referred to as Coruna, with Kaspersky later saying it had found no signs that the toolkit was created by the United States. The case remains notable for showing that attackers combined multiple iOS zero-days with obscure Apple hardware behavior to build a highly advanced surveillance platform against iPhone users.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Kaspersky rejects claims that the Coruna iPhone exploit kit was made by the US
In March 2026, Kaspersky said it had found no signs that the Coruna exploit framework associated with Operation Triangulation had been developed by the United States. The statement represented a later attribution-related update to the long-running investigation.
Analysis reveals Triangulation used four zero-days and a hardware feature
Late-2023 and early-2024 reporting said the iPhone spyware campaign relied on four zero-day vulnerabilities and abused an Apple hardware-based feature that had been largely undocumented. These findings significantly deepened understanding of the sophistication of the exploit chain.
Researchers present deeper technical findings on Operation Triangulation
At the end of 2023, researchers publicly shared additional analysis of Operation Triangulation, including more detail on the exploit chain and how attackers compromised researchers' iPhones. This marked a broader technical disclosure beyond the initial June reporting.
Researchers publish a report detailing Operation Triangulation's spyware implant
A June 2023 report exposed technical details of the Operation Triangulation implant targeting iOS devices, describing the infection chain and spyware capabilities. The disclosure expanded public understanding of how the campaign operated on compromised iPhones.
Russia accuses Apple and the NSA over the iPhone spying campaign
Russian authorities publicly alleged that Apple had cooperated with the NSA in a spying operation involving infected iPhones, while Kaspersky said it had found evidence of targeted compromises but did not attribute the campaign to Apple. The accusation brought Operation Triangulation into wider public view.
Kaspersky detects iPhone compromise inside its corporate network
Kaspersky reported discovering that several employees' iPhones had been infected by a previously unknown iOS spyware campaign later named Operation Triangulation. The company said the attack used invisible iMessage-delivered exploits and affected devices running recent iOS versions.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Kaspersky: No signs Coruna iPhone exploit kit made by US
theregister.com
Open sourceNew iPhone Exploit Uses Four Zero-Days - Schneier on Security
schneier.com
Open source"Triangulation" iPhone spyware used Apple hardware exploits unknown to almost everyone | TechSpot
techspot.com
Open sourceOperation Triangulation - media.ccc.de
media.ccc.de
Open sourceNew Report Exposes Operation Triangulation's Spyware Implant Targeting iOS Devices
thehackernews.com
Open sourceRussian government accuses Apple of colluding with NSA in iPhone spy operation | CyberScoop
cyberscoop.com
Open sourceTriangulation: Trojan for iOS | Kaspersky official blog
kaspersky.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Kaspersky Releases Utility to Detect Operation Triangulation iPhone Compromise
Kaspersky published a utility to help organizations and individuals identify traces of **Operation Triangulation**, an iPhone-focused espionage campaign uncovered on corporate devices. The tool is designed to detect indicators left by the attack chain, which used previously unknown iOS exploits to compromise devices through **iMessage** without user interaction and then deploy malware for covert data collection. The release gives defenders a practical way to check Apple mobile devices for evidence of compromise tied to the campaign and supports incident response efforts where targeted surveillance is suspected. Operation Triangulation drew attention because it relied on a sophisticated zero-click infection path and targeted mobile endpoints that are often harder for enterprises to inspect, making forensic detection tools especially important for security teams.
May 25, 2026
Coruna iPhone Exploit Kit Linked to Russian Espionage and Criminal Use
Researchers reported that the **Coruna** iOS exploitation framework contains full exploit chains and roughly **23 exploits** targeting iPhones running **iOS 13 through 17.2/17.2.1**, and that it has been used by multiple threat actors, including **UNC6353**, a suspected Russian espionage group conducting watering-hole attacks against Ukrainian users, and **UNC6691**, a financially motivated China-based actor. The toolkit, also referred to as **CryptoWaters**, has been described as a rare case of **nation-state-grade iPhone exploitation** appearing in broader criminal operations, with post-exploitation activity including the **PLASMAGRID** payload and persistence through a process identified as `com.apple.assistd` that injects into the `powerd` daemon running as root. Reporting also highlighted competing views on the toolkit's origin. One account said evidence suggests parts of Coruna may have originated from **Trenchant**, a hacking and surveillance division of **L3Harris**, and later leaked into the wider ecosystem, ultimately reaching foreign intelligence services and cybercriminals. However, technical threat research noted that the **definitive origin remains unconfirmed**, even as analysts observed reuse of vulnerabilities associated with **Operation Triangulation** and CISA added **`CVE-2023-41974`** to the **Known Exploited Vulnerabilities** catalog after Google's publication. The story is substantive threat intelligence, not fluff, because it concerns an active exploit framework, real-world exploitation, and possible proliferation of advanced offensive capabilities.
Mar 27, 2026
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
Mar 21, 2026