Security researchers have discovered a new wave of cyberattacks targeting Apple users globally. The hacking tools, named Coruna and DarkSword, have been employed by government agencies and cybercriminals to extract data from iPhones and iPads.
Wide-reaching attacks against iPhone and iPad users are uncommon. In the past ten years, notable incidents include cyber assaults on Uyghurs in China and people in Hong Kong.
Recently, segments of these potent hacking tools have appeared online, risking data theft for millions of outdated Apple devices.
We’re diving into the knowns and unknowns of these threats and how you can stay safe.
What are Coruna and DarkSword?
Coruna and DarkSword are advanced hacking toolkits with various exploits to breach Apple devices and access personal information, including messages, browsing history, location, and cryptocurrencies.
Coruna targets iPhones and iPads running iOS 13 to iOS 17.2.1, while DarkSword focuses on iOS 18.4 and 18.7. DarkSword is a more imminent threat, as parts of it have leaked on GitHub, making it simple for anyone to harness malicious code against Apple users with aging iOS versions.
How do Coruna and DarkSword work?
These attacks are inherently dangerous because they can trap anyone visiting infected websites. Often, users can be compromised by merely accessing a site controlled by hackers.
Coruna and DarkSword seize several iOS vulnerabilities to remotely commandeer devices and pilfer private data, which is then uploaded to hacker-run servers.
Part of Coruna’s code, initially crafted by U.S. defense contractor L3Harris’s Trenchant unit, was reportedly used in Operation Triangulation against Russian iPhone users and may have circulated through intermediaries to Russian and Chinese operators. The circulation of such tools underscores how controlled hacking tech, even from the U.S., can slip into unintended hands.
In 2017, a similar incident occurred when a U.S. NSA-developed exploit leaked and fueled the global WannaCry ransomware attack.
DarkSword’s exploits have attacked users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. Its origins remain mysterious, as does its online leak to GitHub.
The hacked tools on GitHub, easy to modify and use, pose further attack risks. GitHub has opted not to remove the code, highlighting its educational benefits for security research.
Is my iPhone or iPad vulnerable to DarkSword?
Ensure your device is updated to the latest iOS version. Apple states that the latest iOS 15 to iOS 26 versions are secure.
To mitigate these threats, it’s wise to upgrade to iOS 18.7.6 or iOS 26.3.1, according to iVerify. However, one-third of Apple users might still run on vulnerable software versions, exposing numerous devices to risks considering the billions of active Apple devices worldwide.
What if I can’t or don’t want to upgrade to iOS 26?
Lockdown Mode, introduced in iOS 16, provides additional protection against such attacks and is designed for high-risk individuals like journalists and activists. No breach of Lockdown Mode’s defenses has been reported, though its limitations persist. At least one spyware attempt was thwarted by Lockdown Mode, which remains a robust defense layer.