iPhone iOS is under attack from cybersecurity threat actors. Shockingly, two exploit kits aimed at iOS have been discovered in the last month, triggering a discussion on spyware in the intelligence community.
Google Threat Intelligence Group (GTIG) uncovered a new exploit kit targeting Apple iOS devices, iOS versions 18.4 through 18.7, in March. The exploit kit is codenamed DarkSword, and researchers traced its use back to November 2025.
It’s not the first of its kind. Earlier, on March 3rd, Google announced the discovery of Coruna, a similar exploit chain. Coruna targeted iOS versions from 13.0 through 17.2.1. Research revealed it packs 23 vulnerabilities for full payload injection, also known as full insertion of a malicious component.
What does this mean for iPhone users? How can you avoid becoming a victim? As a curious tech marketer, I dug into everything you need to know about Coruna and DarkSword.
First, What is Coruna and DarkSword?
Coruna is a full-exploit kit packed with 5 iOS exploit chains and 23 vulnerabilities. It uses various techniques to retrieve sensitive data from victims.
DarkSword is a more advanced version of Coruna spyware. It chains six vulnerabilities, including three zero-days. Zero-days are security flaws unknown to developers at discovery. This kit attacks iOS 18.4 to 18.7, September 2025 iOS releases.
According to Lookout, “DarkSword appears to take a ‘hit-and-run’ approach by collecting and exfiltrating the targeted data from the device within seconds or at most minutes, followed by cleanup.”
How Does DarkSword and Coruna Work?
Attacks like DarkSword and Coruna require little or no effort from the user. They lure users to malicious or compromised websites that mimic trusted apps. One simple click from the victim triggers a malicious JavaScript in Safari.
Coruna and DarkSword compromise Apple iOS devices by chaining multiple vulnerabilities to bypass the Safari browser sandbox. Afterward, the spyware gains kernel-level access or full control to steal sensitive data which it sends to remote servers controlled by hackers.
Here’s a breakdown of how it works:
- It lures targets to a malicious website.
- The exploit probes the device to identify vulnerable components
- It exploits bugs in Safari and other apps to gain an initial foothold
- It escalates privileges to gain full control over the core iOS operating system
- Finally, it installs malware (malicious software) that runs in the background to spy on the user.
How to Protect Your iPhone from Attacks?
Sophisticated iPhone hacking tools are scary. I’ll provide some practical steps to protect your device from Coruna and Darksword:
Update Your iOS
These exploit kits leverage unpatched vulnerabilities. So, always update your iOS as often as possible. Outdated versions are susceptible to attacks.
Also, keep your apps updated to neutralize the chance of any backdoors (hidden ways to bypass security) for side-loaded malware (malicious software installed from unofficial sources).
Audit Privacy Settings and Background App Activity
Review your iPhone Privacy settings to see which apps have access to features, like the camera or location. In fact, gatekeep access to all your sensitive data as much as you can. Revoke permissions for any apps you don’t fully trust.
I’ll also suggest you pay close attention to your iPhone to check for suspicious background activity. A rapidly draining iPhone could be an indication of malware running on your device.
Enable Auto-Updates
Turn on the auto-update setting. This ensures you get critical security fixes as soon as they are available. Even if you’re too busy to update, you’ll still be protected.
Enable lockdown mode
If you suspect a sophisticated threat is targeting you, activate Apple’s new Lockdown Mode. Lockdown mode is an optional, extreme protection mode. It strictly limits what your apps do and blocks common exploit vectors. This makes it much harder for tools like DarkSword to exploit your device.
Avoid unsolicited links or files
Most importantly, avoid untrusted links or attachments. Coruna spreads through malicious websites and phishing attempts. Also, avoid connecting to public Wi-Fi networks. Attacks may redirect your traffic to an exploit kit. Block ads to prevent malvertising attacks. If you run a business with an active newsletter, consider switching to one of the most secure email providers to reduce phishing risks.
Who Is Behind These Threats?
It’s difficult to isolate a single actor. However, Google Threat Intelligence Group traced the earliest use of Coruna to clients of an undisclosed surveillance vendor targeting high-value devices.
Subsequently, the toolkit circulated. After which, it championed the cyberattack used by UNC6353, a Russian espionage group, against Ukrainians. UNC6353 repurposed trusted websites into watering holes, creating a channel to compromise a legitimate site often used by Ukrainians.
Later in 2025, UNC6691, a group in China, used it as part of a broader campaign to commit financial scams, including cryptocurrency fraud. These scams often exploit the same AI-driven marketing tactics legitimate businesses use, but for malicious purposes.
Actors Behind DarkSword
Shortly after Coruna, DarkSword was discovered with updated antics. iVerify researchers tracked the early exploits back to a threat cluster known as UNC6748. These new actors delivered attacks through spoofed Snapchat messages on a site called SnapShare chat. Their main targets were Saudi Arabian users.
Afterward, some Turkey-based threat actors tied to PARS Defense targeted users across Turkey and Southeast Asia.
While studying Coruna and DarkSword, researchers noted overlaps with kits traced back to earlier systems. For instance, an analysis linked some parts of the exploit kits to techniques seen in the Russians’ earlier ‘Triangulation campaign.’
Regardless of the origin, one scary truth remains: it’s spreading.
Following the leakage of a newer version of DarkSword on GitHub, the full-chain exploit is now in the wild. The co-founder of iVerify commented on this incident, revealing that this leak makes the vulnerabilities easy to repurpose.
In other words, any criminal out there can easily deploy it. This is part of a broader pattern in technology trends for 2025, where powerful tools become accessible to multiple bad actors faster than ever.
That brings me to the question:
What has Apple Done About It?
Apple has taken a proactive move to curb the spread of DarkSword and Coruna. As soon as Google and iVerify sounded the alarms, they patched DarkSword flaws across iOS 18.7.1, iOS 26.3, and later builds. Those fixes started rolling in by late March 2026.
Apple also got to work with Coruna’s 23 exploits. They backported patches to older versions, going against the norm. This covered iOS 15.8.7, iPadOS 16.7.15. Finally, Apple warned its users currently using iOS 13 or 14 to update to iOS 15 to receive maximum protection.
With black-market leaks threatening millions, Apple took action to fix dead software. Apple also went the extra mile to fix Lockdown mode. Now, it blocks JavaScript lures that both spywares use to initiate an attack. Once you turn it on, the exploit chain breaks before the final stage.
In addition, Apple increased its bug bounty program to $2 million for reporting zero-click exploits that take over iPhones without user interaction.
Do I need iOS 26 to Avoid These Attacks?
Preferably, yes. But in the case where you don’t want to upgrade, the Lockdown mode is an option. It offers extreme defense for rare top-level attacks like Coruna and DarkSword.
By blocking out the initiation techniques for these attacks, Lockdown Mode stops these exploit kits cold. According to Apple, there has been no successful bypass since this update.
To activate it, follow these steps:
- Open settings
- Tap privacy & security.
- Scroll down and click lockdown mode.
- Select “On” then restart your phone and enter your passcode.
Is my iPhone Vulnerable to DarkSword or Coruna?
No, unless you still use the older, unpatched versions of iOS, specifically, 18.4 through 18.7.
Apple confirmed that the latest versions of iOS 15 through 26 are protected from these full-kit exploits. To know if your iPhone is vulnerable, check your current version.
If you use an unpatched version, you are one of the millions of vulnerable users across the world.
Update to the latest iOS 26.3.1 or iOS 18.7.6 to ensure maximum safety from these attacks.
As an iPhone User…
Stay safe. Cybersecurity threats are growing by the day. While threat actors keep seeking ways to exploit their victims, adopt healthy security habits. It keeps you safe from such vulnerabilities. If you’d love updates on technology and marketing trends, keep an eye out for my posts!