April 3, 2026
iPhone surrounded by code and warning symbols representing the leaked Coruna and DarkSword iOS exploits threatening mobile security.

An iPhone under cyberattack from leaked Coruna and DarkSword exploits, illustrating global mobile security risks.

Security researchers have uncovered a major new threat to Apple users worldwide. Two advanced hacking toolkits, dubbed Coruna and DarkSword, have been discovered targeting iPhones and iPads. Even more alarmingly, parts of these tools have leaked online, putting potentially hundreds of millions of devices at risk.

While iOS devices are often considered more secure than Android, history has shown that no system is impervious. Attacks against iPhone and iPad users have previously been rare and typically highly targeted — for example, operations against Uyghur Muslims in China or pro-democracy activists in Hong Kong. The emergence and public availability of these new toolkits mark a significant escalation in potential risk for everyday users.

What Are Coruna and DarkSword?

Coruna and DarkSword are advanced sets of exploits that allow hackers to gain full control over iPhones and iPads. Once compromised, devices can have their messages, browsing history, location, photos, and even cryptocurrency wallets stolen.

  • Coruna targets iOS versions 13 through 17.2.1, covering devices that have not been updated since late 2023.
  • DarkSword targets more recent devices running iOS 18.4 and 18.7, released in 2025. Notably, DarkSword has already partially leaked to GitHub, making it easier for malicious actors to replicate attacks without specialized knowledge.

The distinction is critical. While Coruna’s exploits are older, DarkSword’s leak represents a more immediate threat, especially to users who have not upgraded to the latest iOS updates.

How These Toolkits Work

Both Coruna and DarkSword are designed to be indiscriminate and dangerous. In many cases, a user can be compromised simply by visiting a website controlled by attackers — a technique known as drive-by exploitation. Once a device is infected:

  1. Vulnerabilities in iOS are exploited to gain root-level access.
  2. Hackers can remotely access the device’s sensitive data.
  3. Stolen data is uploaded to servers controlled by the attackers.

Security experts warn that these attacks are highly automated, meaning that ordinary users could be targeted without any specific reason, simply because they have an outdated device or visit a compromised website.

Origins of Coruna and DarkSword

The origins of these toolkits reveal a concerning trend in modern cyber warfare and exploit proliferation.

  • Coruna reportedly began as a government-level tool, developed by Trenchant, a hacking and spyware unit within U.S. defense contractor L3Harris. This unit sells exploits to the U.S. government and allied agencies.
  • Parts of Coruna have been linked to Operation Triangulation, a sophisticated cyber campaign allegedly targeting Russian iPhone users.
  • From there, Coruna’s exploits appear to have spread through intermediaries and underground markets, eventually falling into the hands of Russian and Chinese hacking groups.

This mirrors a dangerous pattern: exploits created for government use can leak, becoming tools for cybercriminals — as seen with the NSA exploit leak in 2017 that led to the WannaCry ransomware outbreak.

  • DarkSword, meanwhile, is newer and more mysterious. Attacks using DarkSword have been observed in countries including China, Malaysia, Turkey, Saudi Arabia, and Ukraine. Researchers have yet to identify the original developer or the precise chain of distribution.

The leak of DarkSword on GitHub, written in web languages like HTML and JavaScript, has effectively made it “plug-and-play” for anyone with basic technical knowledge, according to Justin Albrecht, a principal researcher at mobile security firm Lookout.

Why the Leak Is Dangerous

DarkSword’s leak is particularly alarming because it lowers the technical barrier to entry for cybercriminals:

  • Anyone can download and host the code themselves.
  • It can be configured to target devices visiting specific websites or web apps.
  • It exploits vulnerabilities that remain unpatched on many devices.

GitHub has not removed the leak, citing that the source code has educational and security research value, even though it could be misused. This raises broader questions about the trade-off between open-source research and public safety in cybersecurity.

Who Is Vulnerable?

Users with outdated iPhones or iPads are at the highest risk. Apple has confirmed that the latest iOS versions — iOS 26.3.1 or iOS 18.7.6 — already patch the vulnerabilities exploited by both Coruna and DarkSword.

However, Apple’s own statistics indicate that about one-third of users worldwide are not running the latest iOS software. With over 2.5 billion active devices globally, this leaves hundreds of millions potentially exposed.

Devices That Cannot Update

For users who cannot or choose not to upgrade, Apple recommends enabling Lockdown Mode. First introduced in iOS 16, Lockdown Mode is an optional security feature designed to protect journalists, human rights defenders, and anyone at elevated risk from targeted attacks.

  • Lockdown Mode limits certain features, such as message attachments and web browsing functions, that could be exploited.
  • While not perfect, it has successfully blocked at least one attempt to install spyware on a human rights defender’s iPhone.

Mitigating the Risk

To reduce the likelihood of being compromised, experts recommend:

  1. Updating iOS Immediately: Ensure devices are running iOS 26.3.1 or 18.7.6 or later.
  2. Enabling Lockdown Mode: Especially for users at higher risk of targeted attacks.
  3. Practicing Safe Browsing: Avoid visiting untrusted websites or clicking unknown links.
  4. Monitoring for Suspicious Behavior: Unexpected pop-ups, unusual battery drain, or unexplained data usage can indicate compromise.

Additionally, enterprise users or those with sensitive data may consider mobile device management (MDM) solutions to enforce updates and monitor threats proactively.

Broader Implications

The Coruna and DarkSword leaks highlight several important trends in cybersecurity:

1. Government Tools Can Become Public Threats

Exploits created for intelligence or military purposes can escape controlled environments, potentially causing massive civilian risk.

2. iOS Is Not Impenetrable

Apple devices are highly secure compared to many platforms, but persistent vulnerabilities and the slow adoption of updates mean that large-scale attacks are possible.

3. Cybersecurity Requires a Multi-Layered Approach

Users cannot rely on a single update or security feature. Combining software updates, enhanced security modes, and cautious online behavior is essential.

Historical Context

The risk posed by leaked government tools is not new. Similar incidents include:

  • 2017 NSA Exploit Leak: Led to the global WannaCry ransomware attack affecting hundreds of thousands of computers.
  • Targeted iOS Attacks on Activists: Previous campaigns focused on political dissidents, demonstrating the potential reach of sophisticated spyware.

The key difference with DarkSword is scale and accessibility. Unlike highly targeted attacks, these tools are now available to anyone with basic technical skills, potentially enabling mass exploitation.

Practical Recommendations for Apple Users

  • Update immediately: Running the latest iOS is the most effective defense.
  • Enable Lockdown Mode: Provides an extra layer of protection for at-risk individuals.
  • Avoid Suspicious Links or Sites: Many infections can occur simply by visiting compromised websites.
  • Regularly Monitor Device Behavior: Watch for unusual battery or data usage, which may indicate compromise.

For organizations, deploying endpoint protection solutions and enforcing update policies is critical to preventing attacks from spreading in enterprise environments.

What’s Next?

Researchers and security firms are continuing to investigate the Coruna and DarkSword toolkits. Meanwhile, Apple and other tech companies are increasingly aware of the need to rapidly patch vulnerabilities and offer protective features like Lockdown Mode.

Users can also expect increased public discussion about responsible disclosure, exploit leaks, and the ethics of publishing dangerous code online, especially when code appears on platforms like GitHub.

The Coruna and DarkSword incidents serve as a stark reminder: no platform, no matter how secure, is immune to the combination of sophisticated attackers and leaked exploit tools. The intersection of state-developed hacking tools and publicly available code introduces a new era of risk for everyday users, making vigilance, timely updates, and layered security more important than ever.

Conclusion

The leak of Coruna and DarkSword marks a significant escalation in mobile security threats. By exposing hundreds of millions of iPhones and iPads to potential exploitation, these tools demonstrate both the power of advanced hacking kits and the risks posed when government-level exploits enter the public domain.

For users, the message is clear: update your device, enable security features, and remain cautious online. For enterprises, journalists, and high-risk individuals, Lockdown Mode and strict security protocols are essential.

While Apple devices remain among the most secure in the mobile ecosystem, the emergence of accessible, advanced exploit kits underscores an uncomfortable reality: no device is invulnerable, and complacency can have serious consequences.

By understanding these threats and taking proactive measures, users can minimize risk — but the Coruna and DarkSword leak will likely remain a key case study for cybersecurity professionals for years to come.

About The Author

Faiqa's avatar

Faiqa

Faiqa covers technology policy, digital infrastructure, and emerging trends shaping the future of connectivity. With a strong focus on telecom, AI governance, and regulatory developments, she delivers clear, fact-driven reporting that helps readers understand complex policy decisions and their real-world impact.

See author's posts

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

Apple Co-Founder Steve Wozniak Critiques AI: “Systems Lack True Understanding”

Apple Co-Founder Steve Wozniak Critiques AI: “Systems Lack True Understanding”

March 30, 2026 0
Microsoft Game Pass: Exploring Lower-Cost and Ad-Supported Tiers

Microsoft’s Game Pass Rethink Could Reshape the Gaming Market

March 30, 2026 0

You may have missed

Samsung Galaxy A37 and A57 smartphones showing AMOLED display, camera upgrades, and mid-range design features

Galaxy A Series: Samsung Expands Its Mid-Range Lineup

April 1, 2026 0
Google Willow quantum processor with qubits and researchers testing advanced quantum computing technology in a lab setting

Google Opens Early Access to Willow Quantum Processor

April 1, 2026 0
Estée Lauder One ELC model showing global teams, AI marketing systems, and business transformation strategy in 2026

The Estée Lauder Companies Strengthens Its New Operating Model

April 1, 2026 0
Meta Platforms stock 2026 showing AI growth, legal risks, and digital advertising impact on META share price

Meta Platforms Stock (META) Analysis: A Complete Investment Guide for 2026

April 1, 2026 0
Bitcoin price volatility 2026 with charts, oil prices, and global economic factors influencing crypto market trends

Bitcoin Price Prediction 2026: Simple Forecast, Analysis and Outlook

March 31, 2026 0
Americans React to the Rise of AI Bosses

Americans Warming Up to AI Bosses, But Concerns Remain

March 30, 2026 0