Coruna, an advanced mobile vulnerability framework utilizing zero-day vulnerabilities for high-level espionage operations, shares technical links with the 2023 Operation Triangulation surveillance campaign. Recent analysis shows that Coruna, along with a similar framework known as DarkSword, has transitioned into the hands of financially motivated groups and a Russian state-aligned actor tracked as UNC6353.
Furthermore, components of DarkSword were recently published to GitHub. This release significantly lowers the barrier to entry, placing advanced iOS compromise capabilities within reach of a broader range of unauthorized actors and requiring organizations to evaluate their mobile defense posture.
Rocky Cole, co-founder of iVerify—which analyzed both frameworks—indicates that the technology underlying Coruna was likely developed by Trenchant, the surveillance tech division of US military contractor L3Harris. Meanwhile, DarkSword, a separate tool with a comparable operational history, was likely developed in the Gulf region, potentially by the DarkMatter Group or former personnel.
"In the case of Coruna, it was very likely a government contractor who sold it to zero-day brokers," Cole notes. "In the case of DarkSword, I think it's possible the firm that developed it went defunct and offloaded it to try to salvage some investment. Either way, it made its way onto the secondary market for resale, and then from there fell into the hands of Russian state operators."
UNC6353 has deployed both tools via watering hole campaigns in Ukraine. These operations focused on commercial targets, including industrial and retail vendors, as well as local services and a news agency in the Donbas region. Researchers note that DarkSword has also been utilized by multiple commercial surveillance companies and suspected state-sponsored actors across Saudi Arabia, Turkey, Malaysia, and Ukraine. Following the GitHub publication, broader experimentation by unauthorized users has been observed.
Technical Links to Operation Triangulation
In early 2023, Kaspersky identified anomalous behavior during routine security monitoring. The activity was identified internally on the company's own employees' devices.
This discovery provided the first evidence of Operation Triangulation, a four-year surveillance campaign affecting thousands of devices in Russia, including those of senior Kaspersky personnel and diplomatic missions. Russia's Federal Security Service (FSB) attributed the activity to the US National Security Agency (NSA).
Subsequent analysis by iVerify researchers revealed clear structural overlaps between the software used in Operation Triangulation and the newly discovered Coruna iOS framework. Following further technical review, Kaspersky confirmed that Coruna functions as an evolution of Operation Triangulation. The framework has since incorporated four new iOS kernel vulnerabilities, establishing a total of five vulnerability chains spanning 23 distinct CVEs.
Threat actors have actively customized this core architecture with varying delivery mechanisms and final modules tailored to specific operational objectives.
"The big difference between kits like Coruna and DarkSword and other top-tier iOS spyware is that both of the former tools had additional code added to them by an unknown party to introduce financial theft and cryptocurrency capabilities," explains Justin Albrecht, principal researcher at Lookout.
For example, while Coruna was originally deployed against highly specific targets, Google Threat Intelligence observed UNC6353 embedding it within invisible iframes on compromised Ukrainian websites. Additionally, a Chinese threat group tracked as UNC6691 removed the framework's geolocation restrictions to distribute it across cryptocurrency scam sites. UNC6691's deployment featured custom modules designed specifically for cryptocurrency theft, marking a significant departure from Coruna's original espionage focus.
Google researchers noted: "It’s not known whether the additional code was accomplished by the second-hand broker, or by the threat actors themselves, but we consider it highly likely that both Coruna and DarkSword were acquired and then modified to conduct financial theft as well as espionage."
State-Level Capabilities Reach Financially Motivated Actors
Coruna is not the first advanced cyber capability to transition into Russian possession, and DarkSword represents the latest in a series of commercial surveillance tools utilized by non-state actors. However, the current environment demonstrates these tools migrating further down the resource chain to financially motivated groups.
Albrecht notes that the transfer of capabilities between state intelligence apparatuses and criminal organizations aligns with documented operational models. "We should consider Russia’s well documented use of criminal proxy groups to target Ukraine and to conduct financial theft," he says. "The relationship between Russian Intelligence organizations and various Russian cybercriminal groups, such as a partnership between RomCom and Trickbot, essentially functions as a modern-day privateer model."
This dynamic results in lower-tier threat actors operating with state-level technical capabilities. As Cole observes, "Coruna has 23 vulnerabilities across five chains. It probably costs $30 million to $40 million to develop something like that," a development cost far exceeding typical non-government malware.
Defending Against Advanced Mobile Threats
As premium surveillance capabilities continue to proliferate to financially motivated threat actors, organizations that previously considered themselves outside the scope of advanced persistent threats (APTs) must update their defensive models.
Albrecht advises security leaders to prioritize advanced mobile protections and visibility platforms. "Consider that malware like this pulls entire keychains and credentials off of the device in minutes," he says. "At this point the risk isn’t only to the mobile device itself, because the attacker now has credentials and can merely log in to the corporate network. They have all Wi-Fi credentials, so their level of access and potential for lateral movement is elevated. Without visibility and protection on the iOS devices there’s no protection beyond what the OS provides to stop these attacks, and there’s certainly no visibility to know how and where the attack started."
Cole reinforces this assessment, noting that while Apple has patched the specific vulnerabilities utilized by these frameworks...