← Back to database

Predaxia Research

Operation Triangulation (TriangleDB)

Unattributed (FSB allegations against NSA, unconfirmed) · Unknown / disputed

Patched July 20234 zero-days disclosed
4

Confidence 4/5

DiscoveryKaspersky GReAT, June 2023 (against own employees)
Spyware implantTriangleDB (memory-resident, not persistent)
Attack vectorZero-click iMessage attachment
Affected platformsiOS up to 16.2
Vulnerabilities usedCVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990
PatchesApple iOS 16.5.1 and iOS 16.6 (2023)
Disclosure37th Chaos Communication Congress, December 2023
VendorNot publicly attributed. Russian FSB alleged NSA involvement (denied by Apple)

Technical capabilities

Operation Triangulation is, per Kaspersky GReAT, the most sophisticated iOS attack chain publicly documented. The full chain exploits four zero-day vulnerabilities to achieve full device compromise via a zero-click iMessage attachment.

The four zero-days

  • CVE-2023-41990: Remote code execution in the undocumented Apple-only ADJUST TrueType font instruction.
  • CVE-2023-32434: Integer overflow in XNU memory mapping syscalls. Provides attackers with read/write access to the entire physical memory of the device at user level.
  • CVE-2023-32435: WebKit browser engine bug used by the Safari exploit stage to execute shellcode.
  • CVE-2023-38606: Hardware memory-mapped I/O (MMIO) registers used to bypass the Page Protection Layer (PPL). The most novel discovery: the attackers exploited undocumented hardware features in Apple A12-A16 Bionic processors, possibly originally intended for testing or debugging.

Attack chain

  • Attacker sends a malicious iMessage attachment to the victim. Process happens with no user interaction.
  • The attachment exploits CVE-2023-41990 (font instruction) to gain initial code execution.
  • JavaScript exploit (approximately 11,000 lines, obfuscated) exploits CVE-2023-32434 to obtain read/write access to physical memory.
  • The exploit runs IMAgent process to clear traces of the iMessage and launches Safari in invisible mode.
  • Safari exploit uses CVE-2023-32435 to execute shellcode.
  • TriangleDB main implant is loaded.
  • TriangleDB operates only in device memory, so it is erased after a reboot.

Documented victims

  • Kaspersky discovered the attack while monitoring its own corporate Wi-Fi network and finding traces on iOS devices of its employees.
  • Per FSB statement on June 2023, “several thousand” infected devices in Russia, NATO countries, post-Soviet space, Israel, Syria, and China. The FSB alleged NSA involvement and accused Apple of cooperation. Apple denied accusations.
  • Independent forensic confirmation by Kaspersky was limited to its own employees due to the malware’s memory-only persistence and self-deletion features.

Customer states / attribution

Operation Triangulation has no publicly confirmed commercial vendor attribution. Russian FSB alleged NSA involvement on June 2023, accusing Apple of cooperation in the alleged operation. Apple denied these accusations the same day. Independent researchers including Kaspersky GReAT have not publicly endorsed the FSB attribution. The technical sophistication is consistent with a nation-state actor but does not by itself establish identity.

Geopolitical and policy consequences

  • July-August 2023: Russian Ministry of Digital Development, Ministry of Industry and Trade, Ministry of Transport, Federal Tax Service, and Russian Railways banned Apple devices for official use.
  • September 2023: China expanded its iPhone ban to include state-controlled companies in addition to government employees.
  • 2024: South Korea’s Ministry of National Defense announced an iPhone ban for security reasons.

Technical countermeasures

  • Update iOS: all four vulnerabilities are patched in iOS 16.5.1 and iOS 16.6 onwards. Devices on iOS 17 and 18 are not affected by this specific chain.
  • iOS Lockdown Mode (iOS 16+): would have prevented the initial exploitation vector.
  • Reboot regularly: TriangleDB operates only in memory, so reboot erases the infection.
  • For high-risk profiles: assume that additional undocumented Apple hardware features may be discovered and exploited.
  • Forensic verification: Kaspersky has published indicators and a free triangle_check tool for Triangulation traces.
Why this matters beyond the specific attack. Operation Triangulation demonstrated that hardware-level security through obscurity can be defeated. Modern Apple Silicon includes undocumented features that were exploited as zero-days. This is a structural lesson: closed hardware architectures cannot be assumed safe simply because their internals are not publicly documented.

Update log

February 25, 2026: Page launched. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.


There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.