Security researchers have discovered a series of cyberattacks targeting Apple customers around the world. The tools used in these hacking campaigns, called Coruna and DarkSword, have been used by both government spies and cybercriminals to steal data from people’s iPhones and iPads.
Widespread hacks targeting iPhone and iPad users are rare. The only precedent in the past decade is China’s attacks on Uyghur Muslims and the people of Hong Kong.
Now, some of these powerful hacking tools have leaked online, potentially putting hundreds of millions of iPhones and iPads running outdated software at risk of data theft.
We break down what we know and don’t know about these latest iPhone and iPad hacking threats, and what you can do to stay protected.
What is Koruna and the Dark Sword?
Coruna and DarkSword are two sets of advanced hacking toolkits, each containing a variety of exploits that can infiltrate iPhones and iPads and steal personal data such as messages, browser data, location history, and cryptocurrencies.
Security researchers who discovered the toolkit say Coruna’s exploit could potentially hack iPhones and iPads running iOS 13 through iOS 17.2.1, released in December 2023.
However, Google security researchers studying the code say DarkSword contains an exploit that can hack iPhones and iPads on modern devices running iOS 18.4 and 18.7 released in September 2025.
But DarkSword’s threat is more immediate to the general public. Someone leaked a portion of DarkSword and published it on the code-sharing site GitHub, making it easy for anyone to download the malicious code and launch their own attacks targeting Apple users running older versions of iOS.
How do Coruna and DarkSword work?
These types of attacks are indiscriminate and dangerous by definition, as they can trap anyone who visits a particular website hosting malicious code.
inquiry
Want more information about DarkSword, Coruna, or other government hacking and spyware tools? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or by email.
In some cases, victims can be hacked simply by visiting a legitimate website that is under the control of a malicious hacker.
Once a victim is initially infected, Coruna and DarkSword can exploit several vulnerabilities in iOS to give the hacker virtually complete control over the targeted device and steal an individual’s personal data. The data is then uploaded to a web server run by the hacker.
As TechCrunch previously reported, at least some of the Coruna toolkits were originally developed by Trenchant, the hacking and spyware division within US defense contractor L3Harris, which sells exploits to the US government and its key allies.
Kaspersky also linked two exploits in Coruna’s toolkit to Operation Triangulation, a complex government-sponsored cyberattack allegedly carried out against iPhone users in Russia.
After Trenchant developed Coruna, it is unclear how these exploits ended up in the hands of Russian spies and Chinese cybercriminals, perhaps through one or more intermediaries selling the exploits on underground markets.
Coruña’s trip showed once again that powerful hacking tools, including those developed for the United States under strict security restrictions, can be leaked and spread uncontrollably.
As an example, in 2017, an exploit developed by the U.S. National Security Agency that could remotely infiltrate Windows computers around the world was leaked online. The same exploit was later used in the devastating WannaCry ransomware attack, which indiscriminately hacked hundreds of thousands of computers around the world.
In the case of DarkSword, researchers have observed attacks targeting users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. It remains unclear who originally developed DarkSword, how it was developed by various hacking groups, and how the tools ended up leaked online.
It is unclear who leaked it online to GitHub and made it public.
The hacking tools seen by TechCrunch are written in the web languages HTML and JavaScript, making them relatively easy to set up and self-host anywhere anyone wants to launch malicious attacks. (TechCrunch is not linking the tool to GitHub because it could be used for malicious attacks.) Researchers posting on X have already tested the leaked tool by hacking into their own Apple devices running vulnerable versions of the company’s software.
As Justin Albrecht, principal researcher at mobile security company Lookout, explained to TechCrunch, DarkSword is now “essentially plug-and-play.”
GitHub told TechCrunch that it has not removed the leaked code, but will preserve it for security review.
“GitHub’s Terms of Service prohibit posting content that directly supports illegal active attacks or malware campaigns that cause technical harm,” Jesse Geraci, GitHub’s online safety advisor, told TechCrunch. “However, we do not prohibit the posting of source code that could be used to develop malware or exploits, because publishing and distributing such source code has educational value and provides a net benefit to the security community.”
Is my iPhone or iPad vulnerable to DarkSword?
If you have an iPhone or iPad that’s not up to date, consider updating it now.
Apple told TechCrunch that users running the latest versions of iOS 15 through iOS 26 are already protected.
According to iVerify, “We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1, which mitigates all vulnerabilities exploited in these attack chains.”
According to Apple’s own statistics, nearly one in three iPhone and iPad users are still not running the latest iOS 26 software. Apple touts more than 2.5 billion active devices worldwide, meaning there could be hundreds of millions of devices vulnerable to these hacking tools.
What if I can’t or don’t want to upgrade to iOS 26?
Apple also said that devices running Lockdown Mode, an opt-in additional security feature first introduced in iOS 16, will also block these specific attacks.
Lockdown mode is useful for journalists, dissidents, human rights defenders, and anyone who believes they or their work may be targeted.
Lockdown mode isn’t perfect, but so far there’s no public evidence that hackers have been able to circumvent its protections. (We asked Apple if that claim still holds true and will update if we hear back.) It turns out that lockdown mode thwarted at least one attempt to put spyware on a human rights defender’s phone.
Source link
