Connect with us

Hi, what are you looking for?


Mobile & Wireless

Kaspersky Dissects Spyware Used in iOS Zero-Click Attacks

Russian anti-malware vendor shares technical details on spyware implant deployed as part of recent zero-click iMessage attacks.

iOS Zero-Day Exploits

Russian anti-malware vendor Kaspersky has analyzed the spyware implant deployed as part of recent zero-click iMessage attack that targeted iOS-powered devices in its corporate network.

Referred to as Operation Triangulation, Kaspersky said the campaign targeted several dozen iPhones belonging to senior employees via iMessages carrying a malicious attachment containing an exploit for a remote code execution (RCE) vulnerability.

The exploit code also downloads additional components to obtain root privileges on the target device, after which a spyware implant that Kaspersky dubbed TriangleDB is deployed in memory and the initial iMessage is deleted.

The implant does not feature a persistence mechanism, and, if the target device is rebooted, the entire exploitation chain needs to be launched again for re-infection.

“If no reboot occurs, the implant will automatically uninstall itself after 30 days, unless the attackers extend this period,” Kaspersky added.

Written in Objective-C, the TriangleDB implant communicates with its command-and-control (C&C) server using the Protobuf library for data exchange. Messages are encrypted using symmetric (3DES) and asymmetric (RSA) cryptography and are transmitted over HTTPS, in POST requests.

TriangleDB periodically sends heartbeat messages to the C&C server, which responds with commands transferred as Protobuf messages with obscure type names.

Advertisement. Scroll to continue reading.

Kaspersky’s analysis identified 24 supported commands related to file interaction, process interaction, keychain dumps (likely for harvesting credentials), geolocation monitoring, and the execution of additional modules in the form of Mach-O executables.

The spyware monitors the device for folder changes to identify modified files that have names matching specified regular expressions and queues the identified files for exfiltration.

The Kaspersky documentation also identified artifacts suggesting that the threat actor behind the campaign might also be targeting macOS devices with a similar implant.

Kaspersky disclosed the iOS zero-click attacks against its network on the same day that Russia’s Federal Security Service (FSB) blamed US intelligence agencies, specifically the NSA, for a spy campaign targeting thousands of iOS devices belonging to local users and foreign diplomatic missions.

Related: Russia Blames US Intelligence for iOS Zero-Click Attacks

Related: NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022: Citizen Lab

Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware

Related: Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.