TriangleDB

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
TriangleDB is a sophisticated malware implant targeting iOS devices, discovered as part of a likely state-sponsored cyber-espionage campaign named Operation Triangulation. The malware was first disclosed by Kaspersky researchers in June, revealing its deployment through a new zero-click iOS attack. TriangleDB's infection chain contains two unique stages known as "JavaScript Validator" and "Binary Validator," which are launched prior to the implant's deployment. This implant is associated with a series of Apple zero-day flaws (CVE-2023-46690, CVE-2023-32434, CVE-2023-32439), affecting both iPhones and iPads across government and corporate targets. During their investigation, Kaspersky researchers unearthed numerous curious details about TriangleDB. For instance, while it already possesses multiple oddities, there are also disabled features within the implant that could potentially be deployed in the future. These findings were part of a six-month-long investigation, during which Kaspersky successfully collected all components of the attack chain and completed an extensive analysis of the spyware implant. In response to the discovery and disclosure of TriangleDB, Apple patched the kernel bug exploited by the malware in June. This action effectively neutralized the threat posed by TriangleDB, protecting iOS users from potential exploitation and data theft. Despite this, the existence and sophistication of TriangleDB underscore the ongoing threats faced by digital devices and the importance of robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
cve-2023-38606
1
CVE-2023-38606 is a significant kernel flaw that affects iOS, iPadOS, and macOS-powered devices. This vulnerability was actively exploited against versions of iOS released before iOS 15.7.1. Threat actors exploited this zero-day to gain root privileges on a victim’s iOS device, and then deployed an
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Malware
Kaspersky
Exploit
Ios
Spyware
Apple
Payload
Zero Day
Operation Tr...
Exploits
Imessage
Remote Code ...
Sqlite
Macos
Zero Day
State Sponso...
Vulnerability
Beacon
Backdoor
RCE (Remote ...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PegasusUnspecified
1
Pegasus is a highly sophisticated malware developed by the NSO Group, known for its advanced and invasive capabilities. It is classified as mercenary spyware, often used by governments to target individuals such as journalists, political activists, and others of interest. Pegasus is particularly not
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-46690Unspecified
1
None
cve-2023-32435Unspecified
1
None
CVE-2023-32434Unspecified
1
CVE-2023-32434 is a high severity software vulnerability that allows for arbitrary code execution with kernel privileges. This flaw, along with two others (CVE-2023-32435 and CVE-2023-32439), were identified as zero-days in June 2023, exploited to deploy the Triangulation spyware via iMessage. The s
CVE-2023-32439Unspecified
1
CVE-2023-32439 is a significant vulnerability discovered in Apple's WebKit browser engine. This flaw stems from a type confusion issue that could lead to arbitrary code execution if an affected device processes maliciously crafted web content. The vulnerability was reported by an anonymous source an
Source Document References
Information about the TriangleDB Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securelist
4 months ago
Threat landscape for industrial automation systems. H2 2023
CERT-EU
4 months ago
Apple Zero-Day Exploits Bypass Kernel Security | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Securelist
6 months ago
Kaspersky predictions about ICS and OT threats in 2024
Securelist
6 months ago
Kaspersky predictions on privacy in 2024
CERT-EU
7 months ago
The biggest cybersecurity and cyberattack stories of 2023
DARKReading
7 months ago
‘Operation Triangulation’ Spyware Attackers Bypass iPhone Memory Protections
Securityaffairs
7 months ago
Operation Triangulation attacks relied on an undocumented hardware feature
CERT-EU
7 months ago
Operation Triangulation: The last (hardware) mystery
Securelist
7 months ago
Windows CLFS and five exploits used by ransomware operators (Exploit #3 – October 2022)
CERT-EU
8 months ago
New BlueNoroff loader for macOS
Securelist
8 months ago
Kaspersky Security Bulletin 2023. Statistics
CERT-EU
8 months ago
Quick: Update iPhones and Macs – WebKit security hole found
Securelist
8 months ago
Crimeware and financial cyberthreat predictions for 2024
CERT-EU
8 months ago
Modern Asia APT groups TTPs
CERT-EU
9 months ago
Unpatched bugs can be abused to steal Kubernetes secrets
CERT-EU
9 months ago
Apple Private Wi-Fi hasn't worked for the past three years
CERT-EU
9 months ago
Apple news: iLeakage attack, MAC address leakage bug - Help Net Security
Securelist
9 months ago
A cascade of compromise: unveiling Lazarus' new campaign
CERT-EU
9 months ago
Apple issued another patch to stop TriangleDB cyber snooping
CERT-EU
9 months ago
How Kaspersky obtained all stages of Operation Triangulation