Operation Triangulation
Kaspersky discovered a zero-click iOS implant on its own employees' iPhones. The exploit chain hinged on an undocumented hardware register hidden inside Apple's CPU.
In June 2023, Kaspersky disclosed an espionage campaign it called Operation Triangulation. The campaign had been quietly compromising iPhones — including those of Kaspersky's own employees — by way of a malicious iMessage attachment that the user never had to interact with.
Four zero-days and one secret register
The exploit chain unwrapped by Kaspersky's researchers was unusually elegant, even by the standards of nation-state mobile spyware. It chained four zero-day vulnerabilities, including a kernel memory protection bypass that depended on writing specific values to undocumented MMIO registers in Apple's own system-on-chip. The registers were not described in any public Apple documentation; their existence appeared to be known only to people with deep insight into the silicon.
The implant Kaspersky recovered, named TriangleDB, ran in memory only and re-infected on reboot via the next malicious iMessage. It exfiltrated microphone audio, keychain entries, location, and selected files. Apple shipped patches for the relevant CVEs across several iOS releases through the second half of 2023.
Who and why
Kaspersky declined public attribution, though Russian authorities characterized the campaign as a US intelligence operation aimed at Russian diplomats and Kaspersky staff. The technical specifics — particularly the silicon-level knowledge required — narrowed the field of plausible authors to a very small set of well-resourced actors.
What the chronicle remembers
Triangulation is the cleanest public demonstration of how deep a modern zero-click mobile exploit chain can go. It also gave researchers a rare look at the actual code of a top-tier implant — usually visible only as behavioral fingerprints — and changed assumptions about what a hardware attack surface looks like in 2023.