Coruna iOS Exploit Kit Signals Persistent Advanced Threat Evolution Rather Than Novel Attack
A new iOS exploit kit called Coruna reuses and updates kernel exploits originally deployed in Operation Triangulation three years ago, indicating that sophisticated threat actors are recycling proven attack code rather than developing entirely new exploits.
Affected
Coruna's reliance on kernel exploits from Operation Triangulation, rather than novel code, reveals important constraints in the advanced threat actor ecosystem. Developing iOS kernel exploits requires substantial reverse-engineering effort and deep knowledge of Apple's security mitigations. When a threat actor finds a working exploit, updating and redeploying it across multiple campaigns becomes a rational choice, especially if the underlying kernel vulnerabilities remain unpatched or if Apple's mitigations can be circumvented with minor adjustments.
The reuse pattern suggests that either the original kernel vulnerabilities have not been fully remediated across iOS versions, or the attackers have developed reliable patching techniques that allow exploitation despite Apple's security updates. This is a technical efficiency calculation: investing resources in updating known-working code is cheaper than developing new exploits from scratch when zero-days require months of research and have unpredictable lifespans.
For defenders, the implication is that historical operation data and vulnerability timelines become operational intelligence. If Coruna is indeed an evolution of Triangulation-era code, security teams should review what vulnerabilities were exploited in the original campaign and verify whether their organisations have deployed corresponding patches across all iOS devices. The three-year gap between campaigns also suggests that threat actors maintain persistent toolsets and preserve them for long-term campaigns.
Organisations running iOS should assume that if a kernel exploit was weaponised before, it may be weaponised again unless explicitly patched. This reinforces the value of tracking CVE lifecycles and maintaining detailed inventory of iOS versions in use. The emergence of Coruna also indicates that Operation Triangulation was not a one-off campaign but part of a broader operational framework that continues to evolve.
The broader implication is that advanced threat actors operate with multi-year planning horizons and treat proven exploits as assets to be maintained and upgraded rather than discarded. This shifts the focus from predicting novel attacks to understanding how legacy code and known vulnerabilities propagate across successive campaigns.
Sources