Latest Tech News

Beware of TriangleDB: The New Spyware Threat on Your iOS Device


More details have emerged regarding the spyware implant used in Operation Triangulation, a campaign targeting iOS devices. Kaspersky, the cybersecurity company that discovered the operation, has codenamed the backdoor TriangleDB. The malware has a lifespan of 30 days, after which it automatically uninstalls unless the attackers extend the time period.

According to Kaspersky researchers, the implant is deployed after the attackers exploit a kernel vulnerability to gain root privileges on the target iOS device. It operates in memory, leaving no traces when the device is rebooted. This means that if the victim restarts their device, the attackers must reinfect it by sending an iMessage with a malicious attachment, initiating the entire exploitation chain once again.

Operation Triangulation relies on zero-click exploits through the iMessage platform, granting the spyware complete control over the device and user data. The attack involves an invisible iMessage with a malicious attachment, which exploits vulnerabilities in the iOS operating system to install the spyware without user interaction.

TriangleDB, written in Objective-C, forms the core of the covert framework. It establishes encrypted connections with a command-and-control (C2) server and periodically sends heartbeat beacons containing device metadata. In response, the server sends one of 24 commands that allow the extraction of iCloud Keychain data and loading of additional Mach-O modules to collect sensitive information.

This includes file contents, geolocation, installed iOS applications, running processes, and more. The attack chain concludes by erasing the initial message to cover up the tracks. Examination of the source code reveals unusual aspects, such as referring to string decryption as “unmunging” and using database terminology for files, processes, the C2 server, and geolocation information.

There is also a routine named “populateWithFieldsMacOSOnly,” which is not called in the iOS implant but suggests the possibility of TriangleDB being used to target macOS devices as well. The implant requests various entitlements (permissions) from the operating system, some of which are not utilized in the code, implying potential implementation in modules.

The campaign’s origin and ultimate objectives remain unknown. Apple has previously stated that it has never worked with any government to insert a backdoor into its products and never will. The Russian government, however, has accused the U.S. of breaching thousands of Apple devices belonging to both domestic subscribers and foreign diplomats in what it claims was a reconnaissance operation.

For more exclusive content and articles, follow us on Twitter and Telegram. Stay informed and protected from emerging threats.

Creative Mind

Hello Dope SOUL'S, I'm the founder of, a self-taught blogger with a passion for technology. My journey began with a fascination for tech's power to shape our world, leading me to self-learn computer science and engineering. After years as a self-taught software engineer, I realized my true calling lay in sharing knowledge. This inspired, where I provide valuable insights on tech trends, gadgets, and software. As a self-taught blogger, I explore new tech, analyze trends, and offer honest reviews. I believe in demystifying complex subjects for both tech enthusiasts and beginners. Beyond blogging, I actively engage in tech conferences, collaborating with industry pros to ensure my content stays accurate and relevant. is a platform dedicated to sharing knowledge, connecting with the tech community, and helping readers navigate the ever-evolving tech landscape. Thanks for joining this journey. Stay curious and tech-savvy! Best regards, [Creative Mind] Founder,

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button