{"id":30261,"date":"2026-04-17T14:20:08","date_gmt":"2026-04-17T13:20:08","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/?p=30261"},"modified":"2026-04-17T14:20:08","modified_gmt":"2026-04-17T13:20:08","slug":"ios-exploits-darksword-and-coruna-in-mass-attacks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/30261\/","title":{"rendered":"The iPhone \u2014 invincible no more: a look at DarkSword and Coruna"},"content":{"rendered":"<p>DarkSword and Coruna are two new tools for invisible attacks on iOS devices. These attacks require no user interaction and are already being actively used by bad actors in the wild. Before these threats emerged, most iPhone users didn\u2019t have to lose sleep over their data security. Protection was really only a major concern for a narrow group \u2014 politicians, activists, diplomats, high-level business execs, and others who handle extremely sensitive data \u2014 who might be targeted by foreign intelligence agencies. We\u2019ve <a href=\"https:\/\/www.kaspersky.com\/blog\/predator-spyware-ios-recording-indicator-bypass\/55463\/\" target=\"_blank\" rel=\"noopener nofollow\">covered sophisticated spyware<\/a> used against such a group before \u2014 noting how hard to come by those tools were.<\/p>\n<p>However, DarkSword and Coruna \u2014 discovered by researchers earlier this year \u2014 are total game-changers. This malware is being used for mass infections of everyday users. In this post, we dive into why this shift happened, why these tools are so dangerous, and how you can stay protected.<\/p>\n<h2>What we know about DarkSword, and how it can target your iPhone<\/h2>\n<p>In mid-March 2026, three separate research teams coordinated the <a href=\"https:\/\/www.wired.com\/story\/hundreds-of-millions-of-iphones-can-be-hacked-with-a-new-tool-found-in-the-wild\/\" target=\"_blank\" rel=\"noopener nofollow\">release of their findings on a new spyware strain<\/a> called DarkSword. This tool is capable of silently hacking devices running iOS 18 without the user ever knowing something is wrong.<\/p>\n<p>First, we should clear up some confusion: iOS 18 isn\u2019t as vintage as it might sound. Even though the <a href=\"https:\/\/en.wikipedia.org\/wiki\/IOS_26\" target=\"_blank\" rel=\"noopener nofollow\">latest version is iOS 26<\/a>, Apple recently overhauled its versioning system, which threw everyone for a loop. They decided to jump ahead eight versions \u2014 from 18 straight to 26 \u2014 so the OS number matches the current year. Despite the jump, Apple estimates that <a href=\"https:\/\/developer.apple.com\/support\/app-store\/\" target=\"_blank\" rel=\"noopener nofollow\">about a quarter of all active devices still run iOS 18 or older<\/a>.<\/p>\n<p>With that cleared up, let\u2019s get back to DarkSword. Research shows that this malware infects victims when they visit perfectly legitimate websites that have been injected with malicious code. The spyware installs itself without any user interaction at all: you just have to land on a compromised page. This is what\u2019s known as a zero-click infection technique. Researchers report that several thousand devices have already been hit this way.<\/p>\n<p>To compromise a device, DarkSword uses a six-vulnerability exploit chain to escape the sandbox, escalate privileges, and execute code. Once it\u2019s in, the malware harvests data from the infected device, including:<\/p>\n<ul>\n<li>Passwords<\/li>\n<li>Photos<\/li>\n<li>Chats and data from iMessage, WhatsApp, and Telegram<\/li>\n<li>Browser history<\/li>\n<li>Information from Apple\u2019s Calendar, Notes, and Health apps<\/li>\n<\/ul>\n<p>On top of all that, DarkSword lets attackers scoop up crypto-wallet data, making it essentially dual-purpose malware that functions as both a spy tool and a way to drain your crypto.<\/p>\n<p>The only bit of good news is that the spyware doesn\u2019t survive a reboot. DarkSword is fileless malware, meaning it lives in the device\u2019s RAM, and never actually embeds itself into the file system.<\/p>\n<h2>Coruna: how older iOS versions are being targeted<\/h2>\n<p>Just two weeks before the DarkSword findings went public, researchers flagged another iOS threat <a href=\"https:\/\/www.wired.com\/story\/coruna-iphone-hacking-toolkit-us-government\/\" target=\"_blank\" rel=\"noopener nofollow\">dubbed Coruna<\/a>. This malware is capable of compromising devices running older software \u2014 specifically iOS 13 through 17.2.1. Coruna uses the exact same playbook as DarkSword: victims visit a legitimate site injected with malicious code which then drops the malware onto the device. The whole process is completely invisible and requires zero user interaction.<\/p>\n<p>A deep dive into Coruna\u2019s code revealed it exploits a total of 23 different iOS vulnerabilities, several of which are tucked away in Apple\u2019s WebKit. It\u2019s worth reminding that, generally speaking (outside the <a href=\"https:\/\/developer.apple.com\/support\/alternative-browser-engines\/\" target=\"_blank\" rel=\"noopener nofollow\">EU<\/a>), all iOS browsers are required to use the WebKit engine. This means these vulnerabilities don\u2019t just affect Safari users \u2014 they\u2019re a threat to anyone using a third-party browser on their iPhone as well.<\/p>\n<p>The latest version of Coruna, much like DarkSword, includes modifications designed to drain crypto wallets. It also harvests photos and, in certain instances, email data. From what we can tell, stealing cryptocurrency seems to be the primary motive behind Coruna\u2019s widespread deployment.<\/p>\n<h2>Who created Coruna and DarkSword \u2014 and how did they end up in the wild?<\/h2>\n<p>Code analysis of both tools suggests that Coruna and DarkSword were likely built by different developers. However, in both cases, we\u2019re looking at software originally created by state-affiliated companies, possibly from the U.S. The high quality of the code points to this; these aren\u2019t just Frankenstein kits cobbled together from random parts, but uniformly engineered exploits. Somewhere along the line, these tools leaked into the hands of cybercrime gangs.<\/p>\n<p>Experts at Kaspersky\u2019s GReAT analyzed all of Coruna\u2019s components and confirmed that this exploit kit is actually <a href=\"https:\/\/securelist.com\/coruna-framework-updated-operation-triangulation-exploit\/119228\/\" target=\"_blank\" rel=\"noopener\">an updated version of the framework used in Operation Triangulation<\/a>. That earlier attack targeted Kaspersky employees, a <a href=\"https:\/\/www.kaspersky.com\/blog\/triangulation-37c3-talk\/50166\/\" target=\"_blank\" rel=\"noopener nofollow\">story we covered in detail on this blog<\/a>.<\/p>\n<p>One theory suggests an employee at the company that developed Coruna <a href=\"https:\/\/techcrunch.com\/2026\/03\/10\/us-military-contractor-likely-built-iphone-hacking-tools-used-by-russian-spies-in-ukraine\/\" target=\"_blank\" rel=\"noopener nofollow\">sold it to hackers<\/a>. Since then, the malware has been used to drain crypto wallets belonging to users in China; experts estimate that at least 42\u00a0000 devices were infected there alone.<\/p>\n<p>As for DarkSword, cybercriminals have already used it to compromise users in Saudi Arabia, Turkey, and Malaysia. The problem is exacerbated by the fact that the attackers who first deployed DarkSword left the full source code on infected websites, meaning it could easily be picked up by other criminal groups.<\/p>\n<p>The code also includes detailed comments in English explaining exactly what each component does, which supports the theory of its Western origins. These step-by-step instructions make it easy for other hackers to adapt the tool for their own purposes.<\/p>\n<h2>How to protect yourself from Coruna and DarkSword<\/h2>\n<p>Serious malware that allows for the mass infection of iPhones while requiring zero interaction from the user has now landed in the hands of an essentially unlimited pool of cybercriminals. To pick up Coruna or DarkSword, you simply have to visit the wrong site at the wrong time. So this is one of those cases where every user needs to take iOS security seriously \u2014 not just those in high-risk groups.<\/p>\n<p>The best thing you can do to protect yourself from Coruna and DarkSword is to update your devices to the latest version of iOS or iPadOS 26, as soon as you can. If you can\u2019t update to the newest software \u2014 for instance, if your device is older and doesn\u2019t support iOS 26 \u2014 you should still install the latest version available to you. Specifically, look for versions <a href=\"https:\/\/support.apple.com\/en-us\/126632\" target=\"_blank\" rel=\"noopener nofollow\">15.8.7<\/a>, <a href=\"https:\/\/support.apple.com\/en-us\/126646\" target=\"_blank\" rel=\"noopener nofollow\">16.7.15<\/a>, or <a href=\"https:\/\/support.apple.com\/en-us\/126793\" target=\"_blank\" rel=\"noopener nofollow\">18.7.7<\/a>. In a rare move, Apple patched a wide range of older operating systems.<\/p>\n<p>To protect your Apple devices from similar malware that will likely pop up in the future, we recommend the following:<\/p>\n<ul>\n<li><strong>Install updates promptly on all your Apple devices. <\/strong>The company regularly releases OS versions that patch known vulnerabilities \u2014 don\u2019t skip them.<\/li>\n<li><strong>Enable Background Security Improvements.<\/strong> This feature allows your device to receive critical security fixes separately from full iOS updates, reducing the window for hackers to exploit vulnerabilities. To enable it, go to <em>Settings<\/em> \u2192 <em>Privacy &amp; Security<\/em> \u2192 <em>Background Security Improvements<\/em> and turn on the <em>Automatically Install<\/em><\/li>\n<li><strong>Consider using <\/strong><a href=\"https:\/\/www.kaspersky.com\/blog\/apple-lockdown-mode\/45061\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Lockdown Mode<\/strong><\/a><strong>.<\/strong> This is a heightened security setting that limits some device features but simultaneously blocks or significantly complicates attacks. To enable this, go to <em>Settings<\/em> \u2192 <em>Privacy &amp; Security<\/em> \u2192 <em>Lockdown Mode<\/em> \u2192 <em>Turn On Lockdown Mode<\/em>.<\/li>\n<li><strong>Reboot your device once a day (or more).<\/strong> This stops fileless malware in its tracks, since these threats aren\u2019t embedded in the system and disappear after a restart.<\/li>\n<li><strong>Use encrypted storage for sensitive data.<\/strong> Keep things like crypto wallet keys, photos of IDs, and confidential info in a secure vault. <a href=\"https:\/\/www.kaspersky.co.uk\/password-manager?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">Kaspersky Password Manager<\/a>\u00a0is a great fit for this; it manages your passwords, two-factor authentication tokens, and passkeys across all your devices while also keeping your notes, photos, and docs synced and encrypted.<\/li>\n<\/ul>\n<blockquote><p>The idea that Apple devices are bulletproof is a myth. They\u2019re vulnerable to zero-click attacks, Trojans, and ClickFix infection techniques \u2014 and we\u2019ve even seen malicious apps slip into the App Store more than once. Read more here:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/predator-spyware-ios-recording-indicator-bypass\/55463\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Predator vs. iPhone: the art of invisible surveillance<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/airborne-wormable-zero-click-vulnerability-in-apple-airplay\/53443\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>AirBorne: Attacks on Apple devices through vulnerabilities in AirPlay<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/whisperpair-blueooth-headset-location-tracking\/55162\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Are your Bluetooth headphones spying on you?<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/ios-android-ocr-stealer-sparkcat\/52980\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>SparkCat trojan stealer infiltrates App Store and Google Play, steals data from photos<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/banshee-stealer-targets-macos-users\/52933\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Banshee: A stealer targeting macOS users<\/strong><\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kpm-download\">\n","protected":false},"excerpt":{"rendered":"<p>The emergence of DarkSword and Coruna \u2014 new malware targeting iOS \u2014 shows exactly how government intelligence tools are being repurposed as weapons for cybercriminals. We break down how these attacks work, why they&#8217;re so dangerous, and what you can do to not get infected.<\/p>\n","protected":false},"author":2726,"featured_media":30262,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1622,2026],"tags":[14,2106,1922,1078,1150,100,3348,26,36,187,514,689,268,3748],"class_list":{"0":"post-30261","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-threats","9":"tag-apple","10":"tag-browsers","11":"tag-cryptocurrencies","12":"tag-exploits","13":"tag-ios","14":"tag-ipad","15":"tag-ipados","16":"tag-iphone","17":"tag-malware-2","18":"tag-passwords","19":"tag-safari","20":"tag-spyware","21":"tag-vulnerabilities","22":"tag-zero-click"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/30261\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/30414\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/25463\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/41717\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/55622\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ios-exploits-darksword-and-coruna-in-mass-attacks\/30568\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/36148\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ios-exploits-darksword-and-coruna-in-mass-attacks\/35799\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/ios\/","name":"iOS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/30261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=30261"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/30261\/revisions"}],"predecessor-version":[{"id":30263,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/30261\/revisions\/30263"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/30262"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=30261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=30261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=30261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}