SGGPO
Following reports of the Operation Triangulation campaign targeting iOS devices, Kaspersky experts shed light on the details of the spyware used in the attack.
 |
| TriangleDB malware has attacked iOS devices |
Kaspersky recently reported on a new mobile APT (Advanced Persistent Threat) campaign targeting iOS devices via iMessage. After a six-month investigation, Kaspersky researchers have published an in-depth analysis of the exploit chain and detailed findings of the spyware infection.
The software, called TriangleDB, is deployed by exploiting a vulnerability to gain root access on iOS devices. Once launched, it only operates in the device's memory, so traces of the infection disappear when the device reboots. So if the victim reboots the device, the attacker needs to re-infect the device by sending another iMessage with a malicious attachment, starting the entire exploit process again.
If the device is not rebooted, the software will automatically uninstall itself after 30 days, unless the attackers extend this period. Acting as a sophisticated spyware, TriangleDB performs a variety of data collection and monitoring capabilities.
The software includes 24 commands with diverse functions. These commands serve various purposes, such as interacting with the device's file system (including creating, modifying, extracting, and deleting files), managing processes (listing and terminating), extracting strings to collect victim credentials, and monitoring the victim's geographic location.
While analyzing TriangleDB, Kaspersky experts discovered that the CRConfig class contains an unused method called populateWithFieldsMacOSOnly. Although it is not used in the iOS infection, its presence suggests the ability to target macOS devices.
Kaspersky recommends that users take the following measures to avoid becoming victims of targeted attacks: For endpoint protection, investigation and timely response, use a reliable enterprise security solution, such as Kaspersky Unified Monitoring and Analysis Platform (KUMA); Update Microsoft Windows operating systems and third-party software as soon as possible, and regularly; Provide SOC teams with access to the latest Threat Intelligence (TI). Kaspersky Threat Intelligence is a simple source of access to corporate TI, providing 20 years of cyberattack data and information and reports from Kaspersky; Equip cybersecurity teams to tackle the latest targeted threats with Kaspersky's online training, developed by experts at GreAT; Since many targeted attacks start with phishing or social engineering tactics, provide security awareness training and skills training to company employees, such as Kaspersky Automated Security Awareness Platform…
“As we dug deeper into the attack, we discovered that this sophisticated iOS infection had several strange features. We continue to analyze the campaign and will keep everyone updated as we learn more about this sophisticated attack. We urge the cybersecurity community to share knowledge and collaborate to get a clearer picture of the threats out there,” said Georgy Kucherin, security expert at Kaspersky’s Global Research and Analysis Team.
Source
![[Photo] Prime Minister Pham Minh Chinh chairs the first meeting of the Central Steering Committee on housing policy and real estate market](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/9/22/c0f42b88c6284975b4bcfcf5b17656e7)
![[Photo] General Secretary To Lam presents the First Class Labor Medal to the Vietnam National Energy and Industry Group](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/9/21/0ad2d50e1c274a55a3736500c5f262e5)
Comment (0)