A previously unknown and highly sophisticated Advanced Persistent Threat (APT) has recently come to light, targeting iOS devices in a long-running mobile campaign called Operation Triangulation.

According to cybersecurity firm Kaspersky, the attackers employ zero-click exploits via the iMessage platform to infect their targets. By leveraging these zero-click exploits, the attackers can trigger vulnerabilities on iOS devices without any user interaction. Once compromised, the malware gains root privileges, allowing it complete control over the device and the user’s data.

Kaspersky made this discovery after creating offline backups of the targeted devices, which revealed traces of compromise. The attack chain begins with the victim’s iOS device receiving a message through iMessage containing an attachment bearing the exploit. The exploit, being zero-click in nature, automatically executes the malicious code upon the receipt of the message, without requiring any action from the user.


The exploit’s primary objective is to establish a foothold on the device and retrieve additional payloads for privilege escalation. It also connects to a remote server to download a final-stage malware, described by Kaspersky as a “fully-featured APT platform.” This implant, operating with root privileges, is capable of harvesting sensitive information and executing code downloaded as plugin modules from the server.

To cover their tracks, the attackers delete both the initial message and the exploit attachment, leaving no visible traces of the infection. Interestingly, Kaspersky noted that the malicious toolset does not support persistence, most likely due to the limitations of the iOS operating system. However, the timeline analysis suggests that re-infection may occur after a device reboot.

The scale and scope of Operation Triangulation are yet to be fully determined. Kaspersky has confirmed that the attacks are ongoing, with successful infections observed on devices running iOS 15.7, the version released on September 12, 2022.

The security firm also published on GitHub a tool, named triangle_check, useul to identify suspicious activities in a iOS backup.

Indicators of Compromise

C&C Domains