Trending Topics

Coruna iOS Exploit Kit Revives and Upgrades Operation Triangulation Framework

Coruna is a newly exposed, nation-state-grade iOS exploit kit that researchers now assess as a direct evolution of the framework used in the 2023 Operation Triangulation espionage campaign. Analysis by Kaspersky’s Global Research and Analysis Team shows that one of Coruna’s kernel exploits, targeting CVE-2023-32434 and CVE-2023-38606, is an updated version of the same exploit chain first seen in Triangulation, with added checks for newer iOS versions and Apple chipsets, and tighter version detection. In total, Coruna bundles five full iOS exploit chains and 23 vulnerabilities, and telemetry from Google and iVerify indicates it has been used by surveillance vendors’ customers, a Russian state-aligned group tracked as UNC6353 in attacks on Ukraine, and financially motivated actors in China, pushing this tooling from targeted espionage into broader, more commoditized abuse. Kaspersky’s fresh reporting confirms that all five kernel exploits in Coruna are built on a common exploitation framework and share code with one another and with other kit components, which reinforces that this is not a patchwork of public PoCs but a maintained, unified platform that has been iterated on since Operation Triangulation. The updated kernel exploit performs more precise iOS and hardware version checks, including support for iOS up to 17.2 and newer processors such as A17 and M3, even though the original bugs were patched earlier, because the shared framework was recompiled to support additional, newer vulnerabilities alongside the legacy ones. Researchers have also identified four other kernel exploits in Coruna, including two developed after Triangulation was publicly disclosed, which shows the same developer, or closely coordinated team, continued investing in this exploitation stack long after it first came to light. The strategic concern is how quickly this framework has moved from tightly controlled cyber-espionage use into the hands of a broader set of actors. Google’s threat intelligence team has observed Coruna chains being leveraged in watering-hole campaigns and large-scale operations targeting iPhones running iOS 13 through 17.2.1, and iVerify recently described related infrastructure as enabling what may be the first mass iOS attack of its kind, with millions of still-unpatched devices potentially in scope. Coruna has been seen alongside DarkSword, another sophisticated iOS exploit kit whose recent version leaked on GitHub, lowering the barrier for less capable criminals to adapt high-end mobile exploits, and Western media have reported that at least some of these tools likely originated with a US defense contractor before being repurposed by Russian intelligence-linked operators. For defenders and end users, the guidance is consistent across vendors: install the latest iOS security updates as quickly as possible, assume any device stuck on older versions is at elevated risk, and recognize that iOS exploit frameworks are now modular, reusable platforms that can migrate rapidly from nation-state use to criminal campaigns once they escape into the wild.

Telnyx PyPI Backdoored in Ongoing TeamPCP Supply Chain Rampage

The official Telnyx Python SDK on PyPI has been pulled into TeamPCP’s expanding supply chain campaign, with malicious versions 4.87.1 and 4.87.2 designed to execute credential‑stealing malware as soon as applications import the library. The compromised releases, published in the early hours of March 27, 2026, affect both Windows and Unix-like environments and follow similar backdoors in Trivy, CanisterWorm-driven npm packages, Checkmarx GitHub Actions, and the highly popular LiteLLM package. Researchers tracking the campaign describe a clear pattern: TeamPCP compromises one trusted tool, harvests the CI/CD credentials it can reach, then uses those credentials to poison the next target in line, turning each environment into a stepping stone toward broader cloud, AI, and communications infrastructure. In the Telnyx case, analysis shows that the malicious logic is injected directly into the client module so that there is no install-time hook to block; the payload activates whenever code executes a simple import telnyx, which means any build pipeline, microservice, or script that pulled 4.87.1 or 4.87.2 must be treated as compromised. The Windows path uses a backdoor delivered via seemingly harmless WAV audio files fetched from a hard-coded C2 server, while the Linux and macOS paths chain together multiple stages of Python-based collection and encrypted exfiltration that target environment variables, tokens, and other secrets accessible on the host. This WAV steganography technique first appeared in TeamPCP’s Kubernetes-focused “kamikaze” and CanisterWorm operations and is now being reused across ecosystems, allowing payloads to slip past simple content filters that see only valid audio. Defenders need to respond on two fronts: immediate containment and structural hardening. Any organization that installed Telnyx 4.87.1 or 4.87.2 should downgrade and pin to 4.87.0, rotate all secrets reachable from affected hosts or CI jobs, remove any persistence artifacts on Windows hosts, and block outbound traffic to the documented C2 infrastructure. Just as importantly, teams should assume that Telnyx is only one node in a wider campaign and use this incident as a forcing function to audit their entire dependency tree, verify whether Trivy, LiteLLM, Checkmarx Actions, or other compromised components were in use, and enforce strict version pinning and commit-SHA pinning for critical tools so that mutable tags cannot be silently turned into malware delivery mechanisms again.

Bearlyfy’s GenieLocker Ransomware Escalates Pro‑Ukrainian Attacks on Russian Businesses

Bearlyfy, also tracked as Labubu, has rapidly evolved from a noisy newcomer into a consistently disruptive pro‑Ukrainian threat group that has hit more than 70 Russian companies since emerging in early 2025. Its operations blend financial extortion with politically motivated sabotage, using ransomware as both a revenue stream and a tool to inflict maximum operational damage on Russian organizations. Over the past year, the group has progressed from reusing third‑party lockers like LockBit 3 and Babuk to deploying its own custom Windows strain, GenieLocker, signaling a shift toward greater technical independence and staying power. Bearlyfy’s playbook favors speed over subtlety. Intrusions typically begin by exploiting exposed services or vulnerable applications, then quickly dropping remote access tools such as MeshAgent to position themselves for rapid encryption, data destruction, or manipulation. Unlike more traditional APT-style groups such as PhantomCore, which focus on long-term persistence and data theft against Russian and Belarusian targets, Bearlyfy’s hallmark is “rapid-fire” attacks with minimal preparation and fast data encryption. Ransom notes are not generated by the ransomware itself, but are crafted manually by the operators, allowing them to tailor language, apply psychological pressure, and adjust demands, which have escalated from tens of thousands of euros to hundreds of thousands of dollars as their victim list has grown. The introduction of GenieLocker in March 2026 marks the latest stage in this maturation. Inspired by the encryption approach used in Venus and Trinity ransomware families, GenieLocker targets Windows endpoints and further streamlines Bearlyfy’s ability to run its own campaigns without depending on external crews or commodity builders. At the same time, overlaps in tooling and infrastructure link Bearlyfy to other Ukraine-aligned outfits such as PhantomCore and suggest occasional collaboration with Head Mare, reinforcing that these operations are part of a wider pro‑Ukrainian cyber ecosystem focused on Russian and allied businesses. With roughly one in five victims reportedly paying, Bearlyfy has secured a sustainable illicit funding model while becoming a persistent operational headache for Russian enterprises.