This week Apple urged iPhone owners to install the latest updates after new technical research showed two exploit kits, nicknamed DarkSword and Coruna, were used in widespread campaigns to hijack phones running older versions of iOS. Security firms Google, iVerify and Lookout published findings this month showing the tools can grant deep remote access to victims’ devices and extract sensitive data. Apple says iOS 26, released in September, defends against these specific toolsets and last week issued a special patch for older devices that cannot run the full iOS 26 upgrade. The company reiterated that keeping software current is the most effective defense for users.
Key Takeaways
- Researchers from Google, iVerify and Lookout disclosed two exploit kits — DarkSword and Coruna — this month that can take over iPhones running outdated iOS versions.
- iVerify reported DarkSword can harvest Wi‑Fi passwords, texts, call logs, location history, browser records, SIM/cellular data and databases such as health, notes and calendars.
- Targets identified include Ukrainians reportedly targeted by Russian intelligence, Chinese cryptocurrency users, and people in Saudi Arabia, Turkey and Malaysia.
- No research team reported confirmed U.S. civilian targets, but experts warn any device not updated is at risk.
- Apple released iOS 26 in September; last week it issued a security-only update for older devices that cannot run iOS 26.
- Coruna’s provenance traces to tools sold by Peter Williams of L3Harris, who pleaded guilty last year; DarkSword’s origin remains unknown.
- Both campaigns rely on watering‑hole infections that deliver code through compromised or malicious websites.
Background
Apple’s iPhone platform has long been seen as comparatively resistant to mass exploitation, largely because of the company’s closed ecosystem and regular security updates. Despite that reputation, the mobile threat landscape has evolved: sophisticated commercial and state actors now sell or repurpose exploit chains that lower the technical barrier for large‑scale attacks. Exploit kits like DarkSword and Coruna stitch together multiple vulnerabilities to move from a web visit to full device compromise.
Watering‑hole attacks — where an attacker places exploit code on websites frequented by target groups — have been a favored distribution method because they can infect visitors automatically when a vulnerable browser or WebKit engine handles crafted content. Parallel trends include the growth of commercial surveillance vendors and documented cases of offensive tools being sold or leaked from defense contractors, which can accelerate dissemination beyond the original operator.
Main Event
This month Google, iVerify and Lookout published technical reports describing two separate exploit chains active in several campaigns. Both toolsets are designed to exploit older iOS versions and provide remote, persistent access that enables sweeping data collection. Researchers observed the campaigns use specially prepared or compromised websites to deliver the first-stage exploit, after which additional modules escalate privileges and exfiltrate data.
iVerify described DarkSword as a surveillance-oriented kit capable of pulling a broad range of personal data. Google’s analysis traced Coruna to tools sold by a former L3Harris cyber executive, which were then adapted and deployed by actors linked to Russian intelligence in operations targeting Ukrainians last summer. By December, Google said, the same toolkit had been used by Chinese-aligned cybercriminal groups in campaigns aimed at cryptocurrency users.
Apple responded by confirming the toolsets can only succeed on devices running older iOS versions and noting that iOS 26 mitigates the specific exploits cited. In an uncommon move for older hardware, Apple pushed a targeted security update last week for devices that cannot upgrade to iOS 26, explicitly to block the vulnerabilities researchers described.
Analysis & Implications
The disclosures show a convergence of three worrying trends: the commercialization and resale of offensive cyber tools, the replication of state-level capabilities into criminal hands, and the persistent population of devices that remain unpatched. When exploit chains are modular and sold to multiple actors, attribution becomes harder and attacks can spread quickly across different geographies and victim types.
Cryptocurrency holders are especially attractive targets because stolen assets can be moved rapidly and irretrievably. The reports indicate Chinese-linked actors created large sets of fake finance-related sites to lure crypto users; combined with watering‑hole delivery, that makes opportunistic mass exploitation feasible. For high‑value populations—journalists, activists, dissidents in conflict zones—state actors’ use of such tools raises serious safety concerns.
At the ecosystem level, these campaigns expose detection gaps. Several researchers noted that many of the telemetry signals for this kind of silent compromise are hard to capture with conventional endpoint tools, meaning infections can go unnoticed for extended periods. That amplifies the public‑health style urgency for broad and timely patch adoption.
Comparison & Data
| Tool | Observed Users/Regions | Likely Operator(s) | Known Origin/Notes |
|---|---|---|---|
| Coruna | Ukraine; later Chinese crypto targets | Russian‑linked actors; Chinese cybercriminals (later) | Linked to tools sold by Peter Williams (L3Harris); used last summer |
| DarkSword | Ukraine, Malaysia, Saudi Arabia, Turkey | Russian intelligence unit; commercial surveillance vendors | Origin unknown; observed in multiple variants since November |
The table summarizes public reporting: Coruna has a clearer provenance tied to a known sale of offensive tools, while DarkSword’s roots remain unestablished. Both rely on watering‑hole delivery, and researchers say deployments began in mid‑to‑late 2023 and evolved into 2024 activity. These timelines matter for defenders assessing whether ongoing infections are new compromises or remnants of earlier intrusions.
Reactions & Quotes
Industry and academic voices framed the reports as a warning that device ownership alone is not a sufficient defense.
“DarkSword appears to be a surveillance and intelligence‑gathering tool, sweeping data across many categories including passwords, messages and health databases,”
iVerify (security firm)
Researchers emphasized that the campaigns lower the barrier to devastating mobile attacks.
“The barrier to entry for widespread, devastating mobile attacks has been decisively lowered,”
John Scott‑Railton, Citizen Lab senior researcher
Apple reiterated standard guidance while explaining its update actions.
“Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,”
Sarah O’Rourke, Apple spokesperson
Unconfirmed
- Precise origin of DarkSword remains unestablished; public reporting has not linked it conclusively to a single developer or vendor.
- Scope of infections outside the reported countries is unknown; researchers did not publish a comprehensive global victim list.
- While no U.S. targets were publicly reported by the research teams, absence of evidence is not evidence of absence for vulnerable American devices.
Bottom Line
The immediate practical takeaway is simple and concrete: update vulnerable iPhones. iOS 26 and the special security patch Apple released last week address the specific exploits described by researchers, and devices that remain on older software are at substantially higher risk. For individuals, organizations and defenders, prioritizing patch deployment and adopting additional detection controls for web‑delivered exploits are essential steps.
Longer term, the incident highlights systemic challenges: resale of offensive tools, diminished attribution clarity as tools proliferate, and the persistent population of unpatched devices. Policymakers, vendors and enterprises will need to coordinate on controls, transparency and disclosure practices to reduce the likelihood that sophisticated toolsets can be repackaged into widespread criminal use.
Sources
- NBC News (news report summarizing research and vendor responses)
- Google Threat Analysis / security research (company research and technical disclosures)
- Lookout (security firm research and advisories)
- Citizen Lab (academic cybersecurity research and expert commentary)
- Apple Support (official security updates and guidance)