Scan iPhone backups for traces of compromise by “Operation Triangulation”

Triangle Check: scan iTunes backups for traces of compromise by Operation Triangulation

This script allows to scan iTunes backups for indicator of compromise by Operation Triangulation.

For more information, please read Securelist



The script depends on: colorama (for pretty printing), pycryptodome


The triangle_check utility can be installed from PyPI (recommended):

python -m pip install triangle_check

The script can be run as-is (the subdirectory triangle_check is required):

python -m pip install -r requirements.txt

It can also be built into a pip package:

git clone
cd triangle_check
python -m build
python -m pip install dist/triangle_check-1.0-py3-none-any.whl

For Windows or Linux, alternatively use the binary builds of the triangle_check utility.


Usage: python -m triangle_check /path/to/iTunes_backup [backup_password]

iTunes backup location

Locate the backup directory created by iTunes. The exact location depends on the OS and is described here.
The directory you are looking for should contain many subdirectories, and should include ‘Manifest.db’, ‘Manifest.plist’. The backup may be encrypted
with a password, if set up in iTunes. That password is required to decrypt password-protected backups.

Advanced: create backup with libimobiledevice

You can use the tool idevicebackup2 that is a part of the open-source package named libimobiledevice. Popular Linux
distributions, macports and homebrew allow to install it out of the box, and the package can be built from the source code for Linux or OSX.

Scanning the backup

Run the tool against the backup directory. If there are any traces of suspicious activity, the script will print out SUSPICION or DETECTED lines with
more information and detected IOCs, and that would mean that the device was most likely compromised.

Example output:

==== IDENTIFIED TRACES OF COMPROMISE (Operation Triangulation) ====
2022-*-* SUSPICION Suspicious combination of events: 
 * file modification: Library/SMS/Attachments/ab/11
 * file attribute change: Library/SMS/Attachments/ab/11
 * location service stopped:
 * file modification: Library/Preferences/
 * file attribute change: Library/Preferences/
 * file birth: Library/Preferences/
 * file modification: Library/Preferences/
 * file attribute change: Library/Preferences/
 * file birth: Library/Preferences/
2022-*-* DETECTED Exact match by NetUsage : BackupAgent
2022-*-* DETECTED Exact match by NetTimestamp : BackupAgent

What’s next?

The research on the Operation Triangulation is ongoing. For more updates, please check Securelist

Read More

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.