Kaspersky refutes suggestions that the sophisticated Coruna iPhone exploit kit is connected to NSA-linked Operation Triangulation, despite shared vulnerabilities.
Russian cybersecurity firm Kaspersky has pushed back against claims that the recently discovered Coruna iPhone exploit kit was developed by the same group behind a 2023 campaign that allegedly compromised thousands of Russian diplomats. The dismissal comes after Google's Threat Intelligence Group (GTIG) published findings on the sophisticated toolkit, which security experts quickly linked to the National Security Agency.
The Coruna Exploit Kit: A Technical Deep Dive
GTIG identified Coruna as a highly sophisticated iPhone exploit kit comprising 23 distinct vulnerabilities targeting iOS versions 13-17.2.1, released between September 2019 and December 2023. The kit operates through five unique full exploit chains, representing millions of dollars in development costs and years of research.
The exploit kit was first tracked by GTIG in February 2025 after capturing parts of an iOS exploit chain used by a surveillance company customer. What makes Coruna particularly concerning is its use of non-public techniques bundled into novel JavaScript frameworks designed to compromise iPhones when users visit specific websites.
Multiple Threat Actors, Different Objectives
Researchers observed Coruna being deployed by different groups for varied purposes, suggesting an active market for second-hand zero-days among well-resourced buyers. In summer 2025, campaigns targeted Ukrainian websites covering industrial equipment, local services, and ecommerce. The JavaScript framework was delivered through hidden iFrames on compromised sites, specifically targeting iPhone users from particular geolocations.
By late 2025, the same framework appeared on a large set of fake Chinese websites, predominantly related to finance and cryptocurrency. These sites were crafted to encourage iOS device visits, triggering the hidden iFrame injection and subsequent exploit kit installation.
The Debug Version Revelation
A crucial breakthrough occurred when GTIG discovered that one operator deployed a debug version of the exploit kit, revealing all the vulnerabilities that comprised Coruna. This discovery showed that all exploit codenames were written in English - CVE-2024-23222 (8.8), a WebKit bug, was codenamed "cassowary," while CVE-2020-27932 (7.8), a kernel type confusion flaw, was referred to as "Neutron."
The Triangulation Connection
Of particular interest were CVE-2023-32434 (7.8) and CVE-2023-38606 (5.5), codenamed Photon and Gallium respectively. These vulnerabilities were also exploited in Operation Triangulation, a 2023 campaign that Kaspersky publicized and which the FSB alleged was an NSA operation.
Security researcher Rocky Cole of iVerify told Wired that he believed the US government was likely behind Coruna's development, citing its sophistication and similarities to other modules publicly attributed to US agencies. "This is the first example we've seen of very likely US government tools spinning out of control and being used by both our adversaries and cybercriminal groups," Cole stated.
Kaspersky's Technical Rebuttal
However, Boris Larin, principal security researcher at Kaspersky GReAT, told The Register that there's no evidence supporting code reuse between Coruna and Operation Triangulation. "We see no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors," Larin stated.
Larin emphasized the technical sophistication of the shared vulnerabilities: "CVE-2023-32434 gives an attacker full control over the deepest layer of iOS – the kernel, which governs everything the phone does. CVE-2023-38606 goes a step further: it exploited a previously undocumented feature of Apple's own chips to bypass security protections that operate at the hardware level."
He noted that both vulnerabilities now have publicly available implementations, meaning any sufficiently skilled team could write their own exploits without seeing the Triangulation code. The possibility remains that Photon and Gallium were either stripped from the Triangulation package after Kaspersky's discovery or were independently developed by equally talented attackers.
Market Implications and Attribution Challenges
The discovery of Coruna highlights the complex ecosystem of zero-day vulnerabilities and the challenges of accurate attribution in cybersecurity. The fact that the same exploit kit appears to be used by different groups for different purposes suggests a thriving secondary market for sophisticated attack tools.
GTIG provided full technical details of the exploit kit's execution along with indicators of compromise through its blog post, enabling defenders to better protect against these advanced persistent threats.
The Register has reached out to the NSA for comment on the allegations, though the agency has not yet responded to requests for clarification on its potential involvement or connection to the Coruna toolkit.
Comments
Please log in or register to join the discussion