Risky Business #828 -- The Coruna exploits are truly exquisite - Risky Business

Risky Business #828 – The Coruna Exploits Are Truly Exquisite
Date: March 11, 2026
Host: Patrick Gray
Co-hosts: Adam Boileau, James Wilson
Special Guest: Tony de la Fuente (Prowler)

Episode Overview

This edition of Risky Business explores the recent leak and analysis of the “Coruna” exploit toolkit, clarifying long-standing confusion about its relationship to other high-profile campaigns like “Triangulation.” Patrick, Adam, and James dissect the technical sophistication and impact of these exploits, reflect on wider industry news—including new trends in APT malware, cyber conflict developments, the Trump White House’s cyber strategy document, and executive shakeups at major agencies. The episode closes with a discussion of open source and enterprise cloud security tooling with Tony de la Fuente, founder of Prowler.

Main Theme: The Coruna Exploit Toolkit—Clearing the Attribution Fog

The show opens with Patrick correcting prior misattributions regarding the origins of the “Karuna/Coruna” (spelled both ways) and “Triangulation” exploit toolkits, as used in high-end iOS attacks. The team delivers an insider look at the code’s structure—now available publicly thanks to Iverify—and why this leak matters for understanding top-tier exploitation.

Key Discussion Points & Insights

Attribution Updates: Karuna/Coruna vs. Triangulation ([00:18]–[03:24])

Clarifying Attribution:
- Last week, Patrick had speculated that Karuna/Coruna and Triangulation were linked and developed by the same vendor (L3Harris Trenchant). This is incorrect.
- Corrected Info:
  - “Triangulation was not Trenchant. Karuna was.” – Patrick Gray [02:32]
  - Both leveraged at least one overlapping iOS bug, but it’s unclear whether this was parallel discovery or shared deliberately.
- Leak believed to originate from Trenchant via alleged whistleblower Peter Williams.

The Splendor of the Toolkit: Technical Impressions ([03:24]–[09:31])

Quality of Engineering:
- Adam describes seeing “exquisitely classted Faberge Egg exploits.”
- The toolchain demonstrates “the high end of the market” – evidence Trenchant staff are “pretty good at this.” ([04:37])
James’s Apple Perspective:
- As a former Apple iOS engineer, James finds the combination of JavaScript internals, audio buffer overflow, and vector graphics “such a weird feeling… no one would have ever thought to put these three things together.” ([05:10])
- Quote:
  - “The sheer depth of knowledge of the internals … is just, you know, I was looking at it from the lens of, okay, people are saying this is nation-state and sophisticated, but what does that actually mean? And gosh, you really do see what that means when you look.” – James Wilson [05:10]
In-Depth Follow-Up:
- James has recorded an 80-minute solo podcast analyzing the toolkit, available in the “Risky Business Features” podcast. [05:58]

In-Depth Technical Analysis: Bypassing Specialized Hardware Security ([07:46]–[09:31])

The writeup by Daniel Wade covered the creative bypass of Apple’s page hash/signature checking (PAC).
- “It’s beautiful, it’s signed code being used to sign other unsigned code and it’s magic.” – James Wilson [08:24]
- Adam admires “the glassy look in your eye when you've spent your entire day inside the gubbins of, you know, symbol linking in … someone else's operating system.” [08:46]

Attribution Rumors and Industry Culture ([09:31]–[11:15])

Trenchant management reportedly didn’t rush to quash rumors of their involvement, enjoying the “positive rumor to have that you were behind this, like, really badass set of exploits.”
Mystery of Triangulation attribution mostly solved: it’s “another Five Eyes actor” but specifics unknown.

Other Major Security News

1. APT36’s Shoddy “Vibe Coded” Malware ([11:15]–[14:07])

Bitdefender exposes “Vibr,” a basic Go-based RAT from Pakistan-aligned APT36, containing rookie mistakes such as template C2 addresses left in code.
Unusual use of niche programming languages (Zig, Crystal, Nim). Speculation: LLMs likely being used for code translation; motivation for language-hopping may be more fun than for AV evasion as is sometimes claimed.

2. Iranian & Global APT Trends ([14:07]–[15:25])

Iranian groups using novel runtimes (e.g., Deno), again possibly driven by LLMs.
“We’re seeing like LLMs choose brand new languages … and those runtimes don’t even fit the model of what you would want your implant to be doing.” – James Wilson [14:25]

3. Kinetic Response to Cyber Threats ([15:25]–[19:02])

Israel allegedly airstrikes Iranian cyber HQ—reminder that cyber operators involved in intelligence are now treated as legitimate military targets. [16:33]
US casualties in the Iran conflict included cyber reservists; Patrick questions the conflict’s objectives and impact.
- “I don’t quite understand what all of this is for… The whole thing is just tragic.” – Patrick Gray [19:02]

4. Messaging App Woes: Telegram, Macs, Surveillance ([20:07]–[23:58])

Russian troops oscillate between Telegram and “Macs,” Russia’s homegrown WeChat clone—with each switch allegedly backfiring due to security holes.
“It is the app that the Russian government has made to make it easier to surveil their own people, which ironically makes it easier for their enemies…” – Patrick Gray [23:58]

5. FBI Surveillance System Breached ([23:58]–[26:44])

FBI’s “critical surveillance network” reportedly breached—potential access to warrant processing or wiretap tasking, but details are very scarce.
Patrick: “They seem freaked out, which is not never good.” [25:41]

6. The Trump White House's Cybersecurity Strategy ([26:44]–[33:41])

The released strategy is only 4 pages once you strip headers and is described as “cybersecurity fan fiction.” [26:44]
Quote:
- “It reads like cybersecurity fan fiction … we’re going to go after the adversaries and, you know, completely render them helpless, flailing children. You know, it’s bizarre.” – Patrick Gray [27:01]
James: “I couldn't get through this document … it almost in a super cynical sense feels like someone said…we just want to go and wreck a bunch of stuff in cyberspace.” [29:22]
Adam: “The U.S. absolutely has amazing offensive capability…defensive cyber…that's hard. Just hacking stuff is easy and the U.S. knows how to do that.” [31:22]

7. US vs. UK: Victim Restitution Funds & Liability Shifts ([33:41]–[37:10])

US: Considering using funds seized from scammers to reimburse fraud victims (“cyber scam compound” initiative).
Patrick: Unlike UK models, focus isn't on pushing liability onto banks or telcos.
“If you want to get this stuff to stop, you do make the banks liable and it stops basically…” – Patrick Gray [36:08]
James: “When credit card companies take on the burden of all things fraud related and protect the customer, that’s a proven model that works really well.” [36:28]

8. AI Ban Moves & Anthropic’s Position ([37:10]–[41:00])

White House reportedly preparing an executive order to ban Anthropic (“Claude”) from US government use, sparking ridicule:
- “It’s dumb on every level and it’s extra dumb because it’s…the best model out there and they’re hell bent on getting rid of it.” – James Wilson [38:32]
- “It’s dumb and it’s petty and it’s poorly thought out…” – Adam Boileau [38:46]
Anthropic launches a code review tool for its AI-generated code:
- “You create the problem, you create the solution.” – Patrick Gray [41:00]
- James: “Just bundle this into the way the thing works.” [41:00]

9. Java Authentication Fails Again ([42:25]–[43:21])

Bug in Pack4J library allows unsigned JWTs to be accepted, making users instant admin:
- Adam: “People who write Java code, for whatever reason seem to write security critical trash.” [42:35]
- Patrick: “That’s like, you know, comedy master class bug. I laughed.” [43:21]

10. NSA and Cyber Command Leadership, CISA's ‘Century of Humiliation’ ([43:31]–[46:34])

New NSA/Cyber Command head confirmed after a long vacancy.
CISA continues to hemorrhage senior staff amid dysfunction; nominee Sean Planky unlikely to head agency.

11. Data Governance Debacles at Doge ([46:34]–[47:14])

A Doge employee allegedly walked out with restricted government databases, confirming prior predictions about data governance issues.

12. Chrome Extensions and Gemini: Security Paradoxes ([47:14]–[48:59])

Palo Alto’s U242 found Chrome’s Gemini agent exposes full file system to extensions, nullifying years of browser sandboxing work.
- James: “Did no one walk down the hall and talk to the crafty security guy and say, hey, should we be … worried about this?” [48:22]

13. Ransomware Drives Company Insolvent ([48:59]–[49:57])

Large Romanian meat processor Alex1 files for insolvency due to ransomware recovery costs—serves as a critical slide-deck example for business risk.

Notable Quotes & Timestamps

“Triangulation was not Trenchant. Karuna was.” – Patrick Gray [02:32]
“These beautiful, exquisitely crafted Faberge Egg exploits.” – Adam Boileau [04:37]
“It’s such a weird feeling to be looking at exploit code that is exploiting code that, you know, was written by folks that just … used to work in the building next to you at Infinite Loop.” – James Wilson [05:10]
“It reads like cybersecurity fan fiction…” – Patrick Gray (re Trump White House document) [26:44]
“You create the problem, you create the solution.” – Patrick Gray (on Anthropic code review) [41:00]
"Comedy master class bug. I laughed." – Patrick Gray (on Pack4J JWT bug) [43:21]

Deep Dive: Sponsor Segment—Prowler with Tony de la Fuente ([51:36]–[61:32])

Overview of Prowler's Open Source and Enterprise Split:

Prowler remains open source for checks/detections/remediations; enterprise features (like SSO integration, compliance tooling) are commercial and “pointy clicky.” ([51:36])
“Prowler is de facto tool for cloud security and that is going to keep being exactly the same because it’s our value, right?” – Tony de la Fuente [52:40]
AI models (like Claude) are now calling Prowler via container spin-up for code/infrastructure audit tasks—even the AI uses Prowler “when it goes to a dead end...” [53:46]
Cloud AI development is creating fresh security surface area—Prowler finds many misconfigurations as people rush to deploy new AI-powered workloads.
CLI tooling purposely remains as an open, trusted alternative for organizations uncomfortable with SaaS.

Conclusion

This episode delivers rare, expert insight into world-class iOS exploitation, clears up persistent industry rumors, and sharply critiques both hacking and defense trends in APT and national policy.
Coverage spans the full spectrum: exquisite technical achievement (Coruna), policy farce (Trump cyber doc), tragic missteps (Iran war, Doge data leak), and recurring failures in enterprise software security.
The sponsor segment confirms best practices in open source/commercial tool design and highlights the realities of AI’s growing operational role in security.

For further technical commentary, listen to James Wilson’s upcoming solo podcast on the Coruna toolkit, and visit the show notes for links to the reports and resources discussed.

End of Summary