The Triangulation Exploits Are Back: How Old iOS Attacks Got a Dangerous Second Life

Page content

The Triangulation Exploits Are Back: How Old iOS Attacks Got a Dangerous Second Life

Remember Operation Triangulation? That sophisticated iOS espionage campaign from 2023 that had us all double-checking our iMessage settings? Well, it turns out the attackers weren’t done with their toolkit. Security researchers have discovered that the exploit code is being recycled in a new framework called Coruna, and this time it’s not just targeting a select few high-value victims.

When Old Exploits Learn New Tricks

The connection between Coruna and Triangulation wasn’t immediately obvious when researchers first spotted the new framework. But Kaspersky’s analysis has confirmed what many of us suspected: the kernel exploit targeting two specific iOS vulnerabilities is essentially an updated version of the same code used in the 2023 campaign.

This is particularly concerning because it represents a shift in tactics. Operation Triangulation was a highly targeted espionage operation, carefully selecting specific individuals for surveillance. Coruna appears to be casting a much wider net, suggesting we’re looking at mass attacks rather than surgical strikes.

What makes this evolution especially troubling is the sophistication involved. We’re not talking about script kiddies copying and pasting exploit code they found on GitHub. This is professional-grade malware development, where proven attack vectors are being systematically updated and redeployed for broader campaigns.

The Bigger Picture: Exploit Recycling Becomes Standard Practice

This isn’t happening in isolation. The security community is seeing a clear trend where successful attack frameworks don’t just disappear after their initial campaigns—they get repurposed, updated, and sold or shared within criminal networks.

Take the recent extradition of Hambardzum Minasyan, who’s accused of developing and administrating the RedLine infostealer. RedLine has been one of the most persistent threats we’ve tracked, constantly evolving and adapting to new defensive measures. It’s a perfect example of how successful malware frameworks become long-term investments for cybercriminals.

Similarly, we’re seeing the return of Iran-linked Pay2Key ransomware group, tracked by both Halcyon and Beazley Security. These groups don’t just vanish when heat gets turned up—they regroup, retool, and come back with improved capabilities.

What This Means for Our Defenses

The Coruna situation highlights a fundamental challenge we face in mobile security. iOS has historically been considered the more secure platform, and Apple’s security team does excellent work patching vulnerabilities quickly. But the sophistication of these attacks means that even patched vulnerabilities can provide valuable intelligence for future exploit development.

The zero-click nature of these iMessage exploits is particularly problematic because it requires no user interaction. There’s no phishing email to spot, no suspicious attachment to avoid clicking. The attack happens silently in the background, making user education—one of our most reliable defense layers—essentially useless.

For organizations managing iOS devices, this underscores the critical importance of rapid patch deployment. We can’t afford the luxury of extended testing periods when dealing with security updates, especially for messaging and communication apps.

The Human Element Still Matters

Speaking of user behavior, I had to chuckle at this week’s Smashing Security podcast discussing some truly bizarre security incidents. Apparently, two people drove up to the UK’s nuclear submarine base at Faslane and asked if they could have a look around. Whether they were tourists, spies, or something in between, it’s a reminder that not all security threats come through our networks.

The podcast also covered a disgruntled data analyst who responded to losing his contract by stealing the entire company payroll database and demanding $2.5 million in Bitcoin—signing his extortion emails from a company called “Loot.” While we focus heavily on sophisticated nation-state attacks and advanced persistent threats, sometimes the biggest risks come from insider threats and basic social engineering.

Moving Forward

The Coruna framework represents more than just another iOS exploit—it’s a sign that we need to rethink how we approach threat intelligence and defense strategies. The days of treating each campaign as an isolated incident are over. We need to assume that any successful attack framework will be reused, modified, and deployed again.

This means investing more heavily in behavioral detection rather than just signature-based approaches. It means treating mobile device management with the same rigor we apply to endpoint security. And it means accepting that perfect prevention isn’t possible—we need robust detection and response capabilities that can identify compromise even when the initial attack vector succeeds.

The security landscape continues to evolve, but one thing remains constant: our adversaries are patient, persistent, and increasingly professional. The recycling of Triangulation exploits in Coruna is just the latest reminder that in cybersecurity, nothing ever really dies—it just gets repackaged for the next campaign.

Sources