While monitoring the network traffic of our own corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we discovered a previously unknown mobile APT campaign targeting iOS devices. The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data. We are calling this campaign “Operation Triangulation”.
This is an ongoing investigation, the amount of material we collected is substantial and will take time to analyze. Given the complexity of the attack, we are confident that we are not the only target, and invite everyone to join the research. If you have any additional details to share, please contact us: triangulation[at]kaspersky.com
Reports
While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices, inspected them and discovered traces of compromise.
GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.
Kaspersky analysis of the CloudWizard APT framework used in a campaign in the region of the Russo-Ukrainian conflict.
For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.