Back
Technology

iPhone Hacking Toolkits 'Coruna' and 'DarkSword' Proliferate, Prompting Apple Policy Change and Security Updates

Generated on: Last updated: 15 sources
View source

The Rise of Sophisticated iPhone Hacking Tools: Coruna and DarkSword

Security researchers have identified two sophisticated iPhone hacking toolkits, "Coruna" and "DarkSword," capable of compromising iOS devices through malicious website visits. These tools have been reportedly utilized by suspected state-sponsored actors, commercial surveillance vendors, and cybercriminal organizations globally. Their proliferation, including the public leak of components, has prompted Apple to release emergency security updates for older iOS versions and modify its update policy to provide patches for previous operating system releases on capable devices.

The discovery of Coruna and DarkSword highlights a growing threat landscape, with sophisticated tools now accessible to a wider range of malicious actors.

Coruna: A Deep Dive into its Discovery and Exploits

Google security researchers first reported on a sophisticated iPhone hacking toolkit, which they named "Coruna." This toolkit comprises five hacking techniques designed to bypass iPhone defenses and install malware silently when users visit a malicious website. Coruna exploits 23 distinct iOS vulnerabilities and has been observed affecting iPhones running iOS 13 through iOS 17.2.1.

Initial reports from Google in February indicated components of Coruna were used by a "customer of a surveillance company." Months later, a more complete version of Coruna was observed in an alleged espionage campaign by a suspected Russian spy group, embedded in Ukrainian websites' visitor-counting components. Subsequently, Coruna was utilized in a profit-driven hacking campaign targeting Chinese-language cryptocurrency and gambling sites to steal digital assets.

Mobile security company iVerify suggested the toolkit may have originated with or been acquired by the US government, noting similarities to previously identified US hacking tools and code written by English-speaking developers. Both Google and iVerify highlighted that Coruna shares components with "Triangulation," an operation targeting Kaspersky in 2023, which the Russian government attributed to the US National Security Agency (NSA). The US government has not publicly responded to this claim. Source reports indicate that a former executive of the US defense contractor L3Harris Trenchant, Peter Williams, pleaded guilty to selling the company's hacking tools, including Coruna, to a Russian broker.

DarkSword Emerges: A New Threat and its Capabilities

Following the identification of Coruna, security researchers from Google, iVerify, and Lookout jointly announced the discovery of "DarkSword," a second sophisticated iPhone hacking technique. DarkSword has been actively used by multiple threat actors since at least November 2025. It targets iPhones running iOS versions from 18.4 to 18.7, as well as iOS 26 prior to version 26.3.

DarkSword is described as a complete exploit chain and infostealer written in JavaScript.

It leverages six different vulnerabilities, including three zero-days (CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174), to deploy three payloads. The attack chain involves bypassing the WebContent sandbox, injecting into system daemons, deploying dataminer malware (GHOSTBLADE), and utilizing an orchestrator module to harvest and exfiltrate sensitive data.

Data collected by DarkSword includes device credentials, cryptocurrency wallet data, emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, usernames, passwords, photos, call history, Wi-Fi configuration and passwords, location history, calendar, cellular and SIM information, installed app lists, and message histories from applications such as Telegram and WhatsApp.

Campaigns utilizing DarkSword have been observed targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Actors include commercial surveillance vendors, suspected state-sponsored groups (such as UNC6353, a suspected Russian espionage group also linked to Coruna), UNC6748, and the Turkish commercial surveillance vendor PARS Defense. DarkSword was found embedded in legitimate Ukrainian websites, including news outlets and a government agency site, to collect data from visitors' phones.

The Proliferation and "Second-Hand" Exploit Market

Both Coruna and DarkSword employ "watering hole" attacks, where compromised or malicious websites automatically infect vulnerable devices that visit them. The methods of deployment suggest that these sophisticated hacking tools, regardless of their origin, have become available "in the wild."

Researchers point to an emerging market for "second-hand" exploits, where tools initially developed for government or specific high-value targets are reportedly sold to other actors, leading to their broader adoption by cybercriminals and other hacker groups. A newer version of DarkSword has reportedly been leaked on GitHub, with researchers noting that the code, consisting of HTML and JavaScript files, is uncomplicated to deploy and requires no specialized iOS expertise. This public availability is anticipated to facilitate wider deployment by criminals.

Apple's Response and Affected Devices

These exploit kits primarily target iPhones and iPads running older iOS versions. While Apple's latest operating system, iOS 26 (released in September), protects against these campaigns, approximately one-quarter to one-third of all iPhone and iPad users continue to operate on iOS 18 or older versions, leaving hundreds of millions of devices potentially vulnerable.

In response to the threats posed by Coruna and DarkSword, Apple has issued security updates. Notably, Apple modified its long-standing policy regarding iOS security updates, now offering patches for older operating system versions (like iOS 18) even for devices capable of running the latest iOS 26. This "backporting" of patches aims to provide critical security protections to users who have not updated to the newest OS version. Apple previously provided similar patches for the Coruna exploit kit in early March.

Apple advises all users to keep their software updated, emphasizing it as the most critical step for maintaining device security. The company also notes that devices with Lockdown Mode enabled are protected from these specific attacks. Specific updates recommended include iOS 18.7.6 or iOS 26.3.1.

Security Implications and Expert Concerns

The discovery and proliferation of Coruna and DarkSword raise concerns among cybersecurity experts regarding mobile device security. Some experts suggest that the barrier to widespread mobile attacks has lowered, and that iPhone attacks might be more pervasive than previously understood.

The existence of a "second-hand" market for exploits creates financial incentives for developers and brokers to sell exploits multiple times, even after vulnerabilities have been patched, impacting users who do not immediately update their devices.

This trend highlights a potential divergence in security tiers, with newer iPhone models benefiting from advanced features like Memory Integrity Enforcement that mitigate memory corruption bugs, while older models remain susceptible.