Connect with us

Hi, what are you looking for?


Malware & Threats

Stealth Techniques Used in ‘Operation Triangulation’ iOS Attack Dissected

Kaspersky analyzes the stealth techniques that were used in the ‘Operation Triangulation’ iOS zero-click attacks.

The iOS zero-click attacks that targeted the iPhones of dozens of Kaspersky senior employees earlier this year focused heavily on exercising stealth, the Russian cybersecurity vendor says.

Referred to as ‘Operation Triangulation’, the attacks involved malicious iMessage attachments designed to exploit a remote code execution (RCE) zero-day and deploy a spyware implant dubbed TriangleDB. Apple released patches for the vulnerability in late June.

The iOS zero-click attacks were disclosed on the same day that Russia’s Federal Security Service (FSB) blamed US intelligence agencies for a spy campaign targeting the iOS devices belonging to diplomats.

On Monday, Kaspersky released a new report detailing the various stealth techniques that the threat actor behind Operation Triangulation has employed, along with some of the components used in the attack.

Before the TriangleDB implant was deployed on the target devices, two validators were used to collect device information and ensure that the code would not be executed on research environments.

The invisible iMessage attachment containing the zero-click exploit silently opens an HTML page hosting the first validator, in the form of obfuscated JavaScript code. The code performs various checks and fingerprinting, sends collected information to a remote server, and waits for the next stage.

The second validator, a Mach-O binary file, removes crash logs and any traces of the malicious iMessage attachment from various databases, lists running processes and installed applications, checks for the device’s jailbreak status, collects user information, and turns on personalized ad tracking.

The binary validator, Kaspersky says, implements these actions for both iOS and macOS, and then sends the collected data to its command-and-control (C&C) server, which responds with the TriangleDB implant.

Advertisement. Scroll to continue reading.

According to Kaspersky, the implant too was designed to look for crash log files and database files that may contain traces of the iMessages attachment, and deletes them to prevent the malware’s identification.

The implant, Kaspersky discovered, contained a microphone-recording module named ‘msu3h’, which could record for three hours by default, and which would suspend recording if the battery level is lower than 10% and if the device’s screen is in use.

The attackers also implemented an additional keychain exfiltration module, SQLite database stealing capabilities, and a location-monitoring module that used network metadata if GPS was not available.

“The adversary behind Triangulation took great care to avoid detection. They introduced two validators in the infection chain in order to ensure that the exploits and the implant do not get delivered to security researchers. Additionally, microphone recording could be tuned in such a way that it stopped when the screen was being used,” Kaspersky concludes.

Related: Stealthy APT Gelsemium Seen Targeting Southeast Asian Government

Related: Stealthy ‘LabRat’ Campaign Abuses TryCloudflare to Hide Infrastructure

Related: Google Cloud Platform Vulnerability Led to Stealthy Account Backdoors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.