Kaspersky’s latest look at the Coruna exploit kit answers an important question about recent iPhone attacks: how much of this is genuinely new, and how much is reuse of older, proven offensive tradecraft? Its conclusion is blunt. Coruna’s kernel exploit for CVE-2023-32434 and CVE-2023-38606 is an updated version of the exploit chain previously used in Operation Triangulation.
That detail matters more than it may seem at first glance. It means sophisticated iOS exploitation is not only about discovering fresh zero-days. It is also about maintaining and adapting high-value exploit chains after the original campaign is exposed, patched, and publicly dissected.
What happened
The Coruna framework first surfaced publicly on March 4, 2026, when Google and iVerify published reports on a highly sophisticated exploit kit targeting Apple iPhones. Google said the kit was initially seen in targeted attacks carried out by a customer of an unnamed surveillance vendor. It was later observed in watering-hole attacks in Ukraine and in financially motivated attacks in China.
Researchers also found a debug build of the exploit kit. That version exposed internal exploit names and the framework name used by its developers: Coruna.
According to Kaspersky’s analysis, the kit combines multiple previously patched vulnerabilities. Among them were exploits for CVE-2023-32434 and CVE-2023-38606, two flaws that stood out because they were first identified as zero-days in Operation Triangulation, the complex iOS espionage campaign Kaspersky investigated after spotting suspicious traffic on its own corporate Wi‑Fi network.
Kaspersky says it was able to collect, decrypt, and analyze Coruna components because some of the distribution links cited by Google were still active when the earlier report was published.
Why the Triangulation link is the real story
The headline finding is not simply that Coruna uses old bugs. Plenty of exploit kits rely on patched vulnerabilities when they target devices that lag behind on updates. The notable part is that Coruna appears to reuse an updated version of a kernel exploit chain associated with one of the most technically advanced iPhone operations disclosed in recent years.
That tells readers two things.
First, exploit development has a long shelf life when the underlying code, technique, or engineering pattern is strong enough. Even after public reporting, reverse engineering, and patching, parts of a mature chain can remain useful if the attacker is targeting devices that never moved to current software.
Second, public disclosure does not end the operational value of an exploit. In some cases it may broaden it. Once details are out, different actors can study the same vulnerabilities, build their own variants, or refine code they already possess. Kaspersky explicitly notes that the technical details of both CVEs have long been public and that other researchers had already created their own exploits without ever seeing the original Triangulation code.
So the lesson is not that one campaign somehow never died. It is that advanced iPhone exploitation can become modular. The chain may change hands, get refactored, or be integrated into a framework such as Coruna, but the defensive problem remains if enough devices stay on older iOS releases.
What this means for defenders
There is a tendency in mobile security to treat older iPhones as relatively safe once the most dramatic spyware headlines fade. Coruna argues against that complacency.
If a reusable exploit chain can be refreshed and folded into later operations, then the risk window is not defined only by the date of the original zero-day discovery. It is also defined by how many devices remain on software versions where those patched bugs are still exploitable.
A practical example: imagine a company that issues iPhones to executives, field staff, and contractors. Its core employees update quickly, but a handful of older devices used for travel, testing, or secondary roles remain on outdated iOS builds because “they still work.” From an attacker’s perspective, those stragglers can become the easiest path in. A recycled exploit chain does not need to beat Apple’s newest defenses if the target fleet is unevenly maintained.
That is why the defensive takeaway here is narrower and more concrete than a generic warning about nation-state threats. The real exposure is operational inconsistency. One unmaintained slice of a fleet can keep an older exploit market alive.
Patch status matters more than brand assumptions
The source material also points to an important defensive boundary: current iOS releases and Apple’s Lockdown Mode disrupt these exploit chains. That does not mean every attack disappears, and it does not prove that newer devices are invulnerable. It does mean the attackers described here were relying on conditions that stop being true once devices are fully updated and hardened.
For security teams, that is a useful distinction. The story is not “iPhones are broken.” The story is that older iPhones running behind on patches remain attractive targets, especially when attackers can repurpose expensive research across multiple campaigns and customers.
That also puts pressure on procurement and lifecycle decisions. Organizations often keep mobile devices in circulation longer than laptops and may tolerate update delays because phones feel less exposed or less business-critical. Coruna is a reminder that phones are now part of the same exploit economy as desktops and servers. Old code gets reused when old software stays deployed.
What to watch next
The next question is not only who built Coruna or who operated it in each case. It is whether more exploit frameworks will be shown to contain reworked pieces of previously exposed iOS chains.
If that pattern continues, a few consequences follow:
- Threat reporting on “new” mobile exploit kits will need closer technical comparison against older campaigns.
- Patch urgency for mobile fleets will look less like routine hygiene and more like direct exposure reduction.
- Lockdown Mode will keep gaining importance as a practical control for high-risk users, not just a niche feature.
There is also a market implication. Google’s earlier reporting, as described by Kaspersky, tied the exploit kit to a customer of an unnamed surveillance vendor before it spread into other attack contexts. If offensive mobile tooling can move from one customer environment into broader use, the old distinction between boutique surveillance capability and wider criminal or regional threat activity starts to look less tidy.
Kaspersky’s Coruna finding does not prove a single unified actor behind every observed use. It does something more useful: it shows that highly capable mobile exploitation can persist as reusable infrastructure.
For readers deciding what actually matters here, the answer is straightforward. The biggest risk signal is not the name Coruna by itself. It is the evidence that a sophisticated iPhone exploit chain from 2023 could be updated and reused in 2026 against devices still living in the past.