Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

Gallium

Gallium is an exploit/component name associated with the Coruna iPhone exploitation framework and with the 2023 iOS espionage campaign Operation Triangulation. Reporting in the provided content links Gallium to CVE-2023-38606, described as a hardware-focused weakness used to bypass Apple’s Page Protection Layer (PPL), affecting iOS versions roughly spanning 14.x through 16.6. Google and other reporting state that Coruna reused internal exploits named Photon and Gallium, and that these were previously used as zero-days in Operation Triangulation. Coruna is described as a 23-component iOS exploit toolkit targeting iPhones running iOS 13 through 17.2.1, combining WebKit memory-corruption flaws, sandbox escapes, privilege escalation, and PPL bypasses. In 2025, Coruna was reportedly observed in highly targeted operations, in watering-hole attacks by Russian-linked UNC6353 against Ukrainian iPhone users via compromised Ukrainian websites, and later in financially motivated campaigns by a China-linked cluster, UNC6691, using fraudulent cryptocurrency and finance-themed sites. One mention in the content also states that GALLIUM packed some payloads using different known and custom packers. High-confidence indicators directly mentioned include the exploit name Gallium, its linkage to CVE-2023-38606, and its association with Coruna and Operation Triangulation.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2023-38606Apple kernel sensitive state modification / PPL bypass in iOS and macOS

“Gallium” is linked to CVE-2023-38606 and is a hardware-focused weakness used to bypass Apple’s Page Protection Layer (PPL).

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1587.004ExploitsEvidence1

"Operation Zero... offers millions of dollars in exchange for zero-day exploits"; "Photon and Gallium... were used as zero-days"

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence3

"two specific Coruna exploits and underlying vulnerabilities, called Photon and Gallium... were used as zero-days in Operation Triangulation"; "Coruna was designed to hack iPhone models running iOS 13 through 17.2.1"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
Mar 10, 2026
iPhone Exploit Toolkit Used by Russian Spies Likely Originated from U.S. Contractor

An internal exploit module name associated with a hardware-focused iOS weakness used to bypass Apple’s Page Protection Layer (PPL), affecting iOS versions roughly 14.x through 16.6.

Read more
techcrunch com securityNews
Mar 9, 2026
An iPhone-hacking toolkit used by Russian spies likely came from U.S military contractor | TechCrunch

A named Coruna exploit/underlying vulnerability used as a zero-day in Operation Triangulation; later details became publicly available per Kaspersky commentary.

Read more
techrepublic com securityNews
Mar 5, 2026
Hackers Used New Exploit Kit to Compromise Thousands of iPhones

Named iOS exploit component reused within the Coruna exploit framework; previously linked to Operation Triangulation (2023).

Read more
mitre attackNews
Jan 25, 2026
Obfuscated Files or Information: Software Packing, Sub-technique T1027.002 - Enterprise | MITRE ATT&CK®

Implant family referenced as using multiple packers (known/custom) for obfuscation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.