C0054: Operation Triangulation
Operation Triangulation is a mobile campaign targeting iOS devices.[1] The unidentified actors used zero-click exploits in iMessage attachments to gain Initial Access, then executed exploits and validators, such as Binary Validator before finally executing the TriangleDB implant.
Analyst context for executives and security teams
Operation Triangulation matters because it shows how a mobile compromise can start without user interaction and then progress through validation, privilege escalation, discovery, data access, and encrypted command-and-control. For leaders, the key issue is not only malware on a phone; it is whether high-value iOS devices used by executives, administrators, legal, security, or operational staff are visible enough to investigate and contain when traditional endpoint telemetry is limited.
Executive priority
Treat this as a mobile security and incident-readiness planning case. The supplied ATT&CK context ties the campaign to iOS targeting, zero-click iMessage attachment exploitation for initial access, Binary Validator, and the TriangleDB implant. Priority questions are: which users’ mobile devices would create material business, privacy, regulatory, or operational risk if compromised; whether those devices are managed; whether iOS patch and inventory evidence is audit-ready; and whether IR teams have a practical path for mobile triage when official ATT&CK detection guidance is not provided.
Technical view
SOC and IR teams should validate coverage around the documented chain: zero-click iMessage-based initial access, exploitation for client execution and privilege escalation, device validation and discovery, local data access, ingress tool transfer, indicator removal, and application-layer encrypted C2. Relationship context specifically names Binary Validator as collecting device information such as phone number and installed applications before TriangleDB deployment, and TriangleDB as communicating with C2 and relaying victim-device information after root privileges are obtained. Because the campaign object has no official detection text and no explicit platform field, teams should map detections to local mobile telemetry rather than assume desktop-style visibility.
Likely telemetry
- MDM/UEM inventory showing enrolled iOS devices, OS versions, patch posture, device identifiers, and compliance state
- Mobile security or EDR telemetry where deployed, including suspicious process, file, privilege, or jailbreak/root indicators
- Network telemetry from managed devices, VPN, secure web gateway, DNS, proxy, or firewall logs showing unusual application-layer communications
- Device and application inventory data, especially unexpected changes or anomalous enumeration patterns
- Forensic mobile artifacts from suspected devices, including messaging-related artifacts, files, directories, keychain-access evidence, and deleted or hidden artifacts where collectible
Detection direction
- Start with coverage validation, not alert assumptions: ATT&CK provides no official detection guidance for this campaign object.
- Prioritize high-risk iOS populations and confirm whether mobile telemetry can support investigation of iMessage-originated compromise, exploitation, privilege escalation, and post-compromise discovery.
- Correlate relationship-driven behaviors: software discovery, file and directory discovery, system/network/process/system information discovery, local data collection, keychain or SMS access where applicable, ingress tool transfer, indicator removal, and encrypted application-layer C2.
- Tune for mobile false positives: app inventory changes, network configuration reads, and normal encrypted traffic may be common, so detection value depends on sequencing, rarity, device risk tier, and corroborating forensic artifacts.
- Account for blind spots: personal or unmanaged devices, limited iOS introspection, missing network egress logs, and deleted artifacts can materially reduce confidence.
Mitigation priorities
- Maintain enforceable iOS patch and update governance for managed devices, with evidence suitable for audit and incident review.
- Use MDM/UEM to define the population of business-critical mobile devices, enforce baseline controls, and support rapid isolation, wipe, replacement, or forensic handoff when needed.
- Limit business exposure from unmanaged mobile access by requiring appropriate device compliance for sensitive email, messaging, identity, and cloud applications.
- Prepare mobile-specific IR playbooks for suspected zero-click compromise, including preservation, escalation criteria, user communications, and executive-device handling.
- Review mobile data access paths—credentials, keychain-protected material, SMS, local files, location, microphone-sensitive workflows—and reduce unnecessary exposure where business processes allow.
Analyst notes and limits
This take is based on the supplied ATT&CK campaign description, external references, and relationships. The most decision-relevant relationships are Binary Validator, TriangleDB, Exploitation for Client Execution, Exploitation for Privilege Escalation, discovery techniques, data access techniques, indicator removal, and encrypted/application-layer C2 behaviors. The campaign is described as targeting iOS devices, but the campaign object’s platform and tactics fields are not specified, so defensive mapping should be validated against the organization’s actual mobile estate.
Official ATT&CK detection guidance is not provided for this campaign object. The supplied data does not identify actors, current activity, customer exposure, specific indicators, or guaranteed detection methods. Local telemetry, device management status, and forensic access will determine practical coverage.
Operation Triangulation
Operation Triangulation is a mobile campaign targeting iOS devices.[1] The unidentified actors used zero-click exploits in iMessage attachments to gain Initial Access, then executed exploits and validators, such as Binary Validator before finally executing the TriangleDB implant.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1418 | Software Discovery | During Operation Triangulation, the threat actors have obtained a list of installed applications.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1404 | Exploitation for Privilege Escalation | During Operation Triangulation, the threat actors exploited a kernel vulnerability to obtain root privileges.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1533 | Data from Local System | During Operation Triangulation, the threat actors stole data from SQLite databases.CitationSecureList OpTriangulation 23Oct2023 |
| Mobile | T1630.002 | File Deletion Sub-technique | During Operation Triangulation, the threat actors removed files from the device.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1544 | Ingress Tool Transfer | During Operation Triangulation, the threat actors downloaded subsequent stages from the C2.[1]CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1521.001 | Symmetric Cryptography Sub-technique | During Operation Triangulation, the threat actors used 3DES and AES to encrypt C2 communication and data.CitationSecureList OpTriangulation 21Jun2023CitationSecureList OpTriangulation 23Oct2023 |
| Mobile | T1430 | Location Tracking | During Operation Triangulation, the threat actors monitored the device’s geolocation.CitationSecureList OpTriangulation 21Jun2023CitationSecureList OpTriangulation 23Oct2023 |
| Mobile | T1422 | System Network Configuration Discovery | During Operation Triangulation, the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1630 | Indicator Removal on Host | During Operation Triangulation, the threat actors deleted the initial exploitation message and exploit attachment.[1] |
| Mobile | T1424 | Process Discovery | During Operation Triangulation, the threat actors have obtained a list of processes.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1420 | File and Directory Discovery | During Operation Triangulation, the threat actors have obtained a list of files in a specified directory using the `fts` API.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1634.001 | Keychain Sub-technique | During Operation Triangulation, the threat actors have dumped the device’s keychain.CitationSecureList OpTriangulation 21Jun2023CitationSecureList OpTriangulation 23Oct2023 |
| Mobile | T1658 | Exploitation for Client Execution | During Operation Triangulation, the threat actors sent iMessage messages with malicious exploits that executed without user interaction.[1]CitationSecureList OpTriangulation 23Oct2023CitationSecureList OpTriangulation Dec2023 Additionally, the threat actors have used various exploits, such as CVE-2023-41990, CVE-2023-32435, CVE-2023-32434 and CVE-2023-38606, to obtain privilege escalation.CitationSecureList OpTriangulation Dec2023 |
| Mobile | T1437 | Application Layer Protocol | During Operation Triangulation, the threat actors used HTTPS POST requests for C2 communication.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1636.004 | SMS Messages Sub-technique | During Operation Triangulation, the threat actors have collected and exfiltrated SMS messages.CitationSecureList OpTriangulation 23Oct2023 |
| Mobile | T1429 | Audio Capture | During Operation Triangulation, the threat actors used a microphone-recording module.CitationSecureList OpTriangulation 23Oct2023 |
| Mobile | T1521.002 | Asymmetric Cryptography Sub-technique | During Operation Triangulation, the threat actors used RSA to encrypt C2 communication.CitationSecureList OpTriangulation 21Jun2023 |
| Mobile | T1575 | Native API | During Operation Triangulation, the threat actors use the Audio Queue API to record audio.CitationSecureList OpTriangulation 23Oct2023CitationSecureList OpTriangulation Dec2023 |
| Mobile | T1409 | Stored Application Data | During Operation Triangulation, the threat actors have collected and exfiltrated data from WhatsApp and Telegram.CitationSecureList OpTriangulation 23Oct2023 |
| Mobile | T1426 | System Information Discovery | During Operation Triangulation, the threat actors collected device and user information.[1] |
Groups, software, and campaigns
S1215: Binary Validator
Binary Validator is a Mach-O binary file used during Operation Triangulation.[1] Binary Validator first collects information about the device, such as the device's phone number and a list of installed applications, before the deployment of the TriangleDB implant. After the actions are completed and the data is collected, Binary Validator encrypts and sends the data to the C2 server, and in turn, the C2 server sends the TriangleDB implant.
S1216: TriangleDB
TriangleDB is an Objective-C written implant deployed after Binary Validator and after root privileges are obtained during Operation Triangulation’s infection chain. Upon execution, TriangleDB communicates with the C2 server, relaying information about the victim device.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 154ec4335288… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SecureList OpTriangulation 01Jun2023
Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.
Open source URL -
[2]
mitre-attack C0054Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.