Cyberwarfare

Russia Blames US Intelligence for iOS Zero-Click Attacks

Kaspersky said its corporate network has been targeted with a zero-click iOS exploit, just as Russia’s FSB said iPhones have been targeted by US intelligence.

Russian anti-malware vendor Kaspersky on Thursday said it discovered an APT actor launching zero-click iMessage exploits on iOS-powered devices in its corporate network.

Kaspersky’s disclosure comes on the same day Russia’s Federal Security Service (FSB) blamed US intelligence agencies for an ongoing spy campaign targeting thousands of iOS devices belonging to domestic subscribers and foreign diplomatic missions.

The FSB, the Russian security agency that succeeded the Soviet KGB, said iPhones belonging to diplomats from NATO countries, China, Israel and Syria were infected as part of an alleged “reconnaissance operation by American intelligence services.”

The spy agency did not release IoCs (indicators of compromise) or technical details on the campaign, which appears to be directly linked to Kaspersky’s public disclosure of iMessage zero-click exploitation.

Kaspersky, which calls the campaign Operation Triangulation, said it collected a significant amount of data and it will take some time to analyze. However, to date the company has determined that the attack involves a zero-click exploit that starts with a malicious message being sent to the targeted user via the iMessage feature.

The message delivers an attachment containing the exploit, which is automatically triggered without any user interaction. 

Advertisement. Scroll to continue reading.

The exploit chain starts with a remote code execution vulnerability. The code is designed to download other components from a command and control (C&C) server, including privilege escalation exploits. 

The final payload has been described by Kaspersky as a “fully-featured APT platform” that runs with root privileges. The company said its investigation is ongoing, but there are clear signs the malware supports commands for collecting system and user information, and executing arbitrary code that is fetched from the C&C server as a plugin module.

Once this final payload has been delivered, the message delivering the exploit is deleted. However, the Russian cybersecurity firm says the attack still leaves traces on a compromised iPhone.

“The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting,” Kaspersky explained. 

It’s unclear if the attack involves the exploitation of zero-day vulnerabilities. Kaspersky has identified attacks dating as far back as 2019. The attacks are ongoing and the newest iOS version confirmed to be targeted is iOS 15.7, which was released in September 2022, and the latest version of the operating system is 16.5.

The security firm has made available details on its forensic investigation methodology, along with device and network IoCs and C&C domains. 

Contacted by SecurityWeek, an Apple spokesperson provided the following statement: “We have never worked with any government to insert a backdoor into any Apple product and never will.”

*updated with statement from Apple

Related: Duqu 2.0 Attack Hits Kaspersky Lab, Venues Tied to Iran Nuclear Talks

Related: New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox

Related: Journalists’ Phones Hacked via iMessage Zero-Day Exploit

Related Content

Government

UNC5792 and UNC4221 have been targeting US government officials, military leaders, and allied personnel.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Using a custom sniffer, the threat actor has captured over 110 million credentials since at least February 2026.

Mobile & Wireless

The vulnerability exploited by the Usbliter8 exploit cannot be patched and a PoC exploit has been released by researchers.

Vulnerabilities

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Vulnerabilities

Exploiting a race condition in Microsoft Defender, the exploit leads to local privilege escalation to SYSTEM.

Artificial Intelligence

Public LLM models with safeguards turned off can also build working exploits, increasing patch gap risks.

Cyberwarfare

Moscow’s agents are building fake companies, recruiting middlemen and deploying cyber spies and hackers who gather information that could be used to attack key...

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version