The common assumption among iPhone security experts has been that discovering vulnerabilities and developing exploits for iOS is difficult. It requires significant time and resources, as well as teams of skilled researchers to break through Apple’s layers of security defenses. This meant iPhone spyware and zero-day vulnerabilities, which are not known to the software vendor before they are exploited, were rare and used only in limited and targeted attacks, as Apple itself claims.

However, in the last month, cybersecurity researchers at Google, iVerify, and Lookout have documented several large-scale hacking campaigns. The tools used in these attacks, known as Coruna and DarkSword, have been targeting victims around the world who have not updated to Apple’s latest software. Some hackers responsible include Russian spies and Chinese cybercriminals. They target victims via hacked or fake websites, allowing the theft of phone data from a substantial number of users. Now, some of these hacking tools have leaked online, making it easier for anyone to attack Apple users with older iOS versions.

Apple’s Security Efforts and Remaining Challenges

Apple has invested heavily in new security technologies, such as introducing memory-safe code for its latest iPhone models and creating features like Lockdown Mode, which are meant to counter spyware attacks. The goal is to secure modern iPhones further and reinforce Apple’s claim that the iPhone is highly difficult to hack. Nevertheless, many older, out-of-date iPhones remain, making them easier targets for attackers using spyware and other hacking tools.

Currently, there are two main security classes among iPhone users. Users running the latest iOS 26 on the most recent iPhone 17 models, launched in 2025, benefit from a security feature called Memory Integrity Enforcement. This feature is designed to stop memory corruption bugs, which are some of the most common flaws exploited in spyware and phone unlocking attacks. Google reports that DarkSword, for instance, relies heavily on memory corruption.

On the other hand, a large number of iPhone users are still running older versions of Apple’s software—iOS 18 or previous releases—which have been vulnerable to memory-based hacks and other exploits.

Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email at [email protected].

Impact of Coruna and DarkSword on iPhone Security

The discovery of Coruna and DarkSword indicates that memory-based attacks may continue to threaten users of older iPhones and iPads. These devices often lag behind the latest, more secure models. Experts from iVerify and Lookout, companies specializing in mobile security products, argue Coruna and DarkSword challenge the long-standing assumption that iPhone hacks are rare.

Matthias Frielingsdorf, co-founder of iVerify, explained to TechCrunch that mobile attacks are now “widespread.” However, he noted that attacks relying on zero-day vulnerabilities against updated software “will always be charged at a premium rate.” This suggests such advanced attacks are unlikely to target broad populations.

Apple security expert Patrick Wardle argued that the perceived rarity or sophistication of some attacks arises mainly because they are seldom documented. In reality, many of these attacks may exist but remain undetected. He compared calling these attacks “highly advanced” to calling tanks or missiles advanced—while true, it is simply the baseline capability for many nations or buyers.

Another complication from Coruna and DarkSword is the growth of a thriving “second-hand” exploit market. This market creates a financial incentive for exploit developers and brokers to “get paid twice for the same exploit,” according to Lookout’s principal researcher, Justin Albrecht. After an initial exploit is patched, brokers often resell it before all users update their devices.

Albrecht warned that this trend is not just a one-time event. Instead, it signals an ongoing and developing challenge for the iOS ecosystem. As more tools leak and resell, the threat landscape for older Apple devices will likely become even more dynamic and dangerous.

Tags: iOS 26, spyware, siguri kibernetike, Coruna DarkSword, zero-day, përditësime iPhone