Specifically, the Coruna exploit kit targets 23 vulnerabilities across iOS 13 through 17.2.1, while DarkSword has been observed exploiting iOS versions 18.4 to 18.7. Threat actors, including Russian intelligence and Chinese cybercriminals, have deployed these kits in targeted campaigns against users in Ukraine, Saudi Arabia, Turkey, Malaysia, and Chinese cryptocurrency users. Apple has released specific updates for older devices, alongside patches in the latest iOS versions, to block these advanced threats.
To protect against these web-based attacks, Apple urges users to update their devices to iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15 for older hardware. For devices capable of running the latest software, users should update to iOS 26.3.1 and 18.7.6, which contain comprehensive fixes for all known vulnerabilities exploited by DarkSword and Coruna.
Coruna, identified by SecurityWeek, is particularly potent, incorporating 23 exploits across five iOS versions, ranging from iOS 13 to 17.2.1. Initial reports linked its use to UNC6353 in watering hole attacks targeting Ukraine. However, its effectiveness quickly led to adoption by financially motivated groups, demonstrating a broader commercialization of advanced iOS hacking tools.
DarkSword, a separate but similarly powerful exploit, also targets outdated software. Google researchers observed multiple commercial vendors and suspected state-linked hackers using DarkSword in distinct campaigns against targets in Saudi Arabia, Turkey, and Malaysia. The variant employed by UNC6353 specifically targeted devices running iOS versions 18.4-18.6, while another variant, utilized by UNC6748 and PARS Defense, extended its reach to iOS version 18.7, according to SecurityWeek.
The company released special updates for older devices that cannot fully upgrade to the latest iOS versions. Users of these devices should update to iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15. For those with devices capable of running more recent software, Apple advises updating to iOS 15 to receive the latest protections, along with an anticipated "Critical Security Update" in the coming days, as reported by The Hacker News.
The most comprehensive protection comes from updating to the very latest platform iterations: iOS versions 26.3.1 and 18.7.6. These updates incorporate patches for all vulnerabilities associated with both Coruna and DarkSword exploit kits. Without these updates, hundreds of millions of devices remain potentially exposed to ongoing attacks.
| Device Capability | Recommended Update |
|---|---|
| Older devices (cannot update to latest iOS) | iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, iPadOS 16.7.15 |
| Devices running iOS 13 or iOS 14 | iOS 15 (plus upcoming Critical Security Update) |
| Devices capable of latest software | iOS 26.3.1 and 18.7.6 |
For scenarios where immediate software updates are not an option, Apple suggests enabling Lockdown Mode, if available. This feature reduces the attack surface, offering a layer of protection against malicious web content and other threats by restricting certain functionalities.
The discovery of DarkSword and Coruna signals a worrying trend: powerful mobile exploitation tools, once reserved for elite state-sponsored operations, are now accessible to a wider array of threat actors. Spencer Parker, chief product officer at iVerify, stated that "nation-state-grade mobile exploitation is now available for mass attack." This accessibility reduces the technical bar for deploying sophisticated attacks.
Parker added that the exploits' relative simplicity and quick adoption by multiple threat actors across various countries confirm their availability on the secondary market for less sophisticated groups. This represents a new level of scale, making widespread mobile attacks a critical and unavoidable concern for all enterprises and individual users, as these exploits are easy to repurpose and redeploy, potentially infecting unpatched users globally.
Prioritize iOS Updates
Immediately update all your Apple devices to the recommended iOS 26.3.1 or 18.7.6 (or the specific older versions like 15.8.7/16.7.15). Delaying updates leaves your sensitive data vulnerable to mass-scale exploitation by advanced hacking tools.
Enable Lockdown Mode
If you cannot update your device immediately, activate Lockdown Mode as a temporary measure. This reduces attack vectors, buying you time until you can apply the essential software patches.
Exercise Web Caution
Be extremely wary of suspicious links or unknown websites, especially if running older iOS versions. Watering hole attacks, where compromised websites deliver exploits, are a primary infection vector for these kits.
Verify Security Patches
As a founder or developer, ensure your organization's mobile device management (MDM) policies enforce these critical updates across all company-issued and BYOD iPhones to mitigate enterprise-wide risks.
Coruna and DarkSword are sophisticated hacking tools targeting older iPhones. Coruna exploits 23 vulnerabilities in iOS versions 13 through 17.2.1, while DarkSword targets iOS versions 18.4 to 18.7, allowing attackers to steal sensitive data from unpatched devices through malicious web content.
Older iPhones and iPads running iOS versions 13 through 17.2.1 and 18.4 through 18.7 are vulnerable to the Coruna and DarkSword exploit kits. These kits target multiple vulnerabilities, potentially impacting hundreds of millions of users globally if their devices are not updated.
State-linked hackers, including Russian intelligence, and Chinese cybercriminals are actively using the DarkSword and Coruna exploit kits. These groups have deployed the tools in targeted campaigns against users in Ukraine, Saudi Arabia, Turkey, Malaysia, and Chinese cryptocurrency users, aiming to steal sensitive data.
The most critical step to protect your iPhone is to update to the latest iOS version available for your device. Apple has released specific updates for older devices (iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15) and patched the latest iOS versions (18.7.6) to address the vulnerabilities exploited by these kits.
Apple warns iPhone users to update software after mass hacking campaigns - NBC News
‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors - SecurityWeek
Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild - WIRED
Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit AttacksMore insights on trending topics and technology
