Back to Headlines
Tech
Mar 26, 2026
Analyzed by Glm 4.7 Flash

The Dual Threat: Coruna and DarkSword Expose Millions of iPhones to Spyware

AI Summary
Two advanced hacking toolkits, Coruna and DarkSword, have leaked online, exposing hundreds of millions of iPhones and iPads to potential data theft. While Coruna targets older devices linked to U.S. defense contractors, the newly leaked DarkSword poses an immediate threat to users running recent iOS versions.

The Dual Threat: Coruna and DarkSword

Security researchers have identified two distinct but equally dangerous hacking toolkits, Coruna and DarkSword, that have leaked onto the open web. These advanced exploit kits, capable of breaking into iPhones and iPads, were originally developed for high-level government surveillance but are now available for anyone to download.

  • Coruna: Targets iOS 13 through 17.2.1. Linked to Trenchant, a unit within U.S. defense contractor L3Harris, and previously used in Operation Triangulation against Russian targets.
  • DarkSword: Targets iOS 18.4 and 18.7. Leaked on GitHub, making it "plug-and-play" for cybercriminals.

The Scale of Vulnerability

The scale of this exposure is staggering. According to Apple's statistics, nearly one-in-three iPhone and iPad users are still not running the latest software. With over 2.5 billion active devices globally, this implies hundreds of millions of users are susceptible to these attacks.

DarkSword is particularly concerning because it targets newer devices running iOS 18.4 and 18.7. Researchers have already tested the leaked code, successfully hacking their own devices to demonstrate the ease of use.

From State-Sponsored Espionage to Public Exploitation

This leak marks a dangerous shift in the cybersecurity landscape. Historically, sophisticated tools like Coruna were the domain of state-sponsored actors targeting specific regions, such as the Uyghurs in China or activists in Hong Kong.

However, the release of DarkSword represents a move toward indiscriminate cybercrime. The tool is written in web languages like HTML and JavaScript, allowing attackers to launch attacks simply by hosting a malicious website. Victims in China, Malaysia, Turkey, Saudi Arabia, and Ukraine have already been targeted.

The Future of Zero-Day Weaponization

The leak of these tools mirrors the infamous 2017 WannaCry ransomware attack, which was fueled by leaked NSA exploits. Once powerful zero-day vulnerabilities are released into the wild, they are nearly impossible to fully contain.

Experts recommend immediate action: users must update to iOS 18.7.6 or iOS 26.3.1. For high-risk individuals, enabling Lockdown Mode remains the most effective defense, as there is currently no public evidence of hackers bypassing its protections.