Skip to content

S1216 TriangleDB

TriangleDB is an Objective-C written implant deployed after Binary Validator and after root privileges are obtained during Operation Triangulation’s infection chain. Upon execution, TriangleDB communicates with the C2 server, relaying information about the victim device.1

Item Value
ID S1216
Associated Names
Type MALWARE
Version 1.0
Created 27 March 2025
Last Modified 02 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1634 Credentials from Password Store -
mobile T1634.001 Keychain TriangleDB has extracted the device’s keychain.1
mobile T1533 Data from Local System TriangleDB has collected and exfiltrated files.1
mobile T1521 Encrypted Channel -
mobile T1521.001 Symmetric Cryptography TriangleDB has encrypted data using 3DES.1
mobile T1521.002 Asymmetric Cryptography TriangleDB has encrypted data using RSA.1
mobile T1420 File and Directory Discovery TriangleDB has obtained a list of files using the fts API and has obtained files that match a specified regular expression.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion TriangleDB has deleted an implant module or specified files.1
mobile T1544 Ingress Tool Transfer TriangleDB has loaded additional modules stored in memory.1
mobile T1430 Location Tracking TriangleDB has monitored the device’s geolocation, which includes coordinates, altitude, bearing and speed.1
mobile T1644 Out of Band Data TriangleDB has used the Protobuf library for command and control communication.1
mobile T1424 Process Discovery TriangleDB has collected a list of running processes.1
mobile T1418 Software Discovery TriangleDB has obtained a list of installed applications.1
mobile T1422 System Network Configuration Discovery TriangleDB has collected and sent information on the device’s IMEI, MEID, serial number and other device information.1

References

  1. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.