Security researchers have uncovered Coruna and DarkSword—sophisticated iPhone/iPad hacking toolkits now leaked online, potentially exposing hundreds of millions of outdated Apple devices to indiscriminate data theft attacks by anyone with basic technical skills.
Ex-Government Tools Turned Cybercriminal Weapons
Originally developed by Trenchant (L3Harris U.S. defense contractor), Coruna exploits target iOS 13 through 17.2.1 (Dec 2023), while DarkSword hits newer iOS 18.4-18.7 (Sep 2025). Both achieve full device compromise via zero-click website visits, exfiltrating messages, browser history, location data, and cryptocurrency wallets to attacker servers.
DarkSword’s partial leak on GitHub transforms it into “plug-and-play” malware—HTML/JavaScript code anyone can self-host on malicious websites. Researchers confirm successful tests against vulnerable Apple devices. GitHub preserves the code citing security research value despite active threat potential.
From US Military to Russian Spies, Chinese Hackers
Coruna links trace to Operation Triangulation (Russian iPhone attacks) and Uyghur targeting in China. Kaspersky connects toolkit exploits to state-sponsored campaigns. Underground exploit markets explain proliferation from tightly controlled U.S. government sales to global cybercriminals, echoing NSA’s EternalBlue leak enabling WannaCry ransomware.
Attacks hit strategic regions. Website visitors unknowingly trigger multi-vulnerability chains granting attackers persistent remote control. No user interaction required—legitimate sites compromised silently ensnare victims.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Apple: Update to iOS 26.3.1 or Enable Lockdown Mode
Apple confirms latest iOS 15-26 patches all exploited flaws. iVerify urges immediate upgrade to iOS 18.7.6 minimum or iOS 26.3.1. Nearly 33% of 2.5B+ active Apple devices run vulnerable software per developer stats.
Opt-in Lockdown Mode (iOS 16+) blocks these specific attacks. Apple reports no successful spyware infections against enabled devices, including documented Pegasus blocks on activist phones. Recommended for journalists, dissidents, high-risk targets despite usability tradeoffs.
Unlike targeted SMS/iMessage exploits, Coruna/DarkSword weaponize everyday browsing. Compromised legitimate sites trigger automatic infection chains exploiting multiple iOS flaws simultaneously. Data uploads to hacker C2 servers enable identity theft, financial crimes, surveillance.
Update Urgency: 1-in-3 Devices at Immediate Risk
With DarkSword publicly available, mass exploitation looms. Apple historically patches rapidly post-disclosure, but unupdated devices remain permanently exposed. Security firms warn of imminent criminal campaigns targeting high-value victims (crypto holders, executives) via watering hole attacks.
Coruna’s journey—from U.S. military contractor to Russian/Chinese operations—demonstrates inevitable tool leakage regardless of origin. Historical NSA exploits becoming ransomware precedents underscore why governments and criminals alike weaponize Apple-targeted zero-days.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
