Recent research has revealed a concerning wave of cyberattacks targeting Apple customers globally. The hacking tools employed in these campaigns, identified as Coruna and DarkSword, are being utilized by both government entities and cybercriminals to extract sensitive information from iPhones and iPads.
Such widespread attacks aimed at iPhone and iPad users are uncommon. In the past decade, notable incidents were limited to attacks on Uyghur Muslims in China and certain individuals in Hong Kong.
Currently, portions of these sophisticated hacking tools have surfaced online, which may jeopardize the security of hundreds of millions of iPhones and iPads running outdated software.
This article will delve into the specifics of the latest hacking threats against iPhone and iPad users and provide guidance on how to enhance security.
Understanding Coruna and DarkSword
Coruna and DarkSword represent two advanced hacking frameworks equipped with various exploits that can breach iPhones and iPads to capture critical data, including messages, browsing history, location data, and information related to cryptocurrencies.
According to security experts, Coruna’s exploits target devices running iOS versions 13 through 17.2.1, the latter of which became available in December 2023.
Conversely, DarkSword is effective against newer devices operating on iOS versions 18.4 and 18.7, released in September 2025, as indicated by Google security researchers examining the code.
The risk associated with DarkSword is particularly pressing for the general populace. A segment of this toolset was leaked on GitHub, allowing malicious actors to easily access and deploy the code against Apple users with outdated iOS versions.
Mechanisms Behind Coruna and DarkSword
These attack methodologies are inherently indiscriminate, jeopardizing anyone who accidentally navigates to a website compromised by malicious coding.
Victims may find themselves hacked merely by visiting a seemingly legitimate website manipulated by attackers.
Once initial access is gained, Coruna and DarkSword exploit numerous vulnerabilities within iOS, granting hackers near-complete control over the infected device and enabling them to capture private data. This stolen information is subsequently exfiltrated to a web server operated by the hackers.
Sections of the Coruna toolkit, as previously reported, were initially developed by Trenchant, a hacking and spyware division within the U.S. defense contractor L3Harris. This unit provides exploits to the U.S. government and its key allies.
Kaspersky has also identified two exploits affiliated with Coruna’s toolkit, linking them to Operation Triangulation, a sophisticated cyberattack allegedly executed against Russian users of iPhones.
Once Trenchant produced Coruna, how its exploits reached Russian spies and Chinese cybercriminals remains ambiguous, potentially involving intermediaries who distribute exploits within the underground market.
The proliferation of Coruna highlights a persistent issue: potent hacking tools, initially designed under stringent secrecy, can leak and proliferate uncontrollably. A significant instance occurred in 2017 when an exploit from the U.S. National Security Agency capable of infiltrating Windows systems worldwide was leaked online, culminating in the widespread WannaCry ransomware attacks.
As for DarkSword, researchers have noted its application in attacks against users located in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. However, the origins of DarkSword, its connection to various hacking factions, and the circumstances surrounding its online leak remain unclear.
It is also uncertain who was responsible for the leak on GitHub and the motives behind it.
The exposed hacking tools, which TechCrunch has reviewed, are developed using HTML and JavaScript, making them relatively simple to configure and self-host for anyone wishing to initiate malicious attacks. Although TechCrunch refrains from linking to GitHub due to the potential for misuse, researchers have already verified the leaked tools by testing them on their Apple devices running vulnerable iOS versions.
DarkSword has been described as “essentially plug-and-play,” as articulated by Justin Albrecht, principal researcher at mobile security firm Lookout.
GitHub has indicated to TechCrunch that it has decided against removing the leaked code but will keep it accessible for security research purposes. GitHub’s online safety counsel stated, “Posting source code that could be utilized to develop malware has educational value and ultimately benefits the security community.”
Assessing Vulnerability of iPhones and iPads to DarkSword
If you own an iPhone or iPad that is not running the latest software, it is advisable to update it promptly.
Apple has confirmed to TechCrunch that users with access to the latest versions of iOS 15 through iOS 26 are already shielded from these threats.
As per iVerify, “We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1 to mitigate all vulnerabilities exploited in these attack chains.”
Apple’s statistics reveal that nearly one-third of iPhone and iPad users are still operating on outdated iOS 26 versions. This equates to potentially hundreds of millions of devices vulnerable to hacking, considering Apple has over 2.5 billion active devices globally.
Options for Users Unable or Unwilling to Upgrade to iOS 26
Apple has also noted that devices utilizing Lockdown Mode, an extra security feature introduced in iOS 16, can successfully block these specific attacks.
Lockdown Mode is designed for individuals such as journalists, activists, and others who may be at risk due to their identity or professional activities.
While Lockdown Mode is not infallible, there has been no substantiated evidence suggesting that hackers have managed to breach its defenses to date. Apple has been queried regarding the continued integrity of these claims and will be updated accordingly. Notably, Lockdown Mode has previously demonstrated its efficacy in preventing attempts to implant spyware on the devices of human rights defenders.