iPhone users are being urged to update their devices immediately following the discovery of sophisticated hacking tools, dubbed DarkSword and Coruna, that have been used in targeted attacks over the past year. The tools, which exploit vulnerabilities in older versions of Apple’s iOS operating system, have been linked to Russian intelligence, Chinese cybercriminals, and other threat actors, raising concerns about the security of mobile devices even within Apple’s typically secure ecosystem. The need to update software is paramount in protecting against these evolving threats.
The existence of these exploit kits was detailed this month by Google and cybersecurity firms iVerify and Lookout. These tools aren’t simple glitches; they represent a significant technical challenge to overcome, relying on a complex chain of exploits to gain control of a device. Once compromised, hackers can gain deep remote access to a phone, potentially accessing sensitive data like Wi-Fi passwords, text messages, call history, location data, and even health information, as detailed in a news release from iVerify.
Apple acknowledged the threat and emphasized the importance of keeping software up to date. “Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,” said Apple spokesperson Sarah O’Rourke. The company released iOS 26 in September, which protects against both hacking campaigns, and last week issued a special update for older devices unable to fully upgrade, specifically to block the exploits.
Origins of the Exploits: From Defense Contractor to Cybercrime
The story of Coruna is particularly noteworthy. According to the Department of Justice, Peter Williams, a former cyber executive with the military defense contractor L3Harris, pleaded guilty last year to selling his company’s hacking tools, including Coruna, to a Russian broker. Google’s research found that this tool was then deployed by hackers associated with Russian intelligence groups, targeting Ukrainians last summer.
Remarkably, by December, Chinese cybercriminals had acquired Coruna and began creating “a very large set of fake Chinese websites mostly related to finance,” Google reported, with the intent of stealing cryptocurrency. This demonstrates a concerning trend: the proliferation of powerful exploits into the hands of diverse threat actors, highlighting an active market for “second hand” zero-day exploits.
DarkSword: A Widely Adopted Exploit Chain
The second tool, DarkSword, has a less clear origin, but Google reports it was likewise used by the same Russian intelligence unit. Since November, multiple commercial surveillance vendors and suspected state-sponsored actors have utilized DarkSword in distinct campaigns, targeting individuals in Ukraine, Malaysia, Saudi Arabia, and Turkey. The widespread adoption of DarkSword mirrors the trajectory of Coruna, suggesting a growing trend of exploit kit sharing and reuse.
The campaigns utilize a “watering hole attack,” where hackers compromise a website to automatically infect vulnerable phones that visit it. This method allows for broad targeting without direct interaction with victims. John Scott-Railton, a senior researcher at Citizen Lab, warned that “the barrier to entry for widespread, devastating mobile attacks has been decisively lowered,” and that this problem is “only going to grow.”
Who is at Risk?
Although initial reports focused on targets in specific regions – Ukrainians targeted by Russian intelligence, Chinese cryptocurrency users, and individuals in Saudi Arabia, Turkey, and Malaysia – experts caution that anyone using an outdated version of iOS is potentially vulnerable. Scott-Railton noted that the tools “could also easily be used to hack anyone whose iOS is out of date.” Rocky Cole, iVerify’s chief operating officer, added that the perception of iPhones as inherently secure is being challenged by these campaigns, stating, “There’s been this perception in the security community that attacks against iPhones are like mythical beasts, they’re rare…Nah, we just don’t really have the tools to see these. I have a feeling that it’s more pervasive than people think.”
The ease with which these attacks can be carried out is particularly concerning. As Scott-Railton pointed out, “The scary takeaway for regular users is they can’t spot this attack.”
Staying Protected: Update Your iPhone
The most effective defense against these threats is to ensure your iPhone is running the latest version of iOS. Apple’s iOS 26, released in September, provides protection against both Coruna and DarkSword. For users with older devices that cannot fully upgrade, the special update released last week offers a critical layer of security. Regularly updating your software is not merely a suggestion; it’s a fundamental step in safeguarding your personal data and privacy.
The proliferation of these sophisticated hacking tools underscores the evolving landscape of cybersecurity threats. While Apple continues to enhance the security of its devices, user vigilance and prompt software updates remain essential in mitigating the risk of compromise. The next step for users is to check for and install any available updates, and to remain informed about emerging threats to mobile security.
What are your thoughts on the increasing sophistication of mobile hacking? Share your comments below, and please share this article with anyone you know who might be at risk.
