The common assumption among iPhone security experts was that finding vulnerabilities and developing exploits for iOS was difficult, requiring a lot of time, resources and teams of skilled researchers to overcome its security defense layers. This meant that iPhone spyware and zero-day vulnerabilities, which are not known to the software vendor before being exploited, were rare and only used in limited and targeted attacks. as Apple itself says.
However, in the past month, cybersecurity researchers at Google, iVerify and Lookout have documented several large-scale hacking campaigns using tools known as Coruna and DarkSword, which target almost indiscriminate victims around the world who are not yet using Apple’s most up-to-date software. Some of the hackers behind these attacks include Russian spies and Chinese cybercriminals and target their victims through hacked websites or fake pages, allowing them to potentially steal phone data from a large number of victims.
Now, some of these tools have leaked online, allowing anyone to take the code and easily launch their own attacks against Apple users running older versions of iOS.
Apple has invested significant resources in new security and development technologies, such as introducing memory security code for its latest iPhone models and releasing features such as Lockdown Mode specifically to counter potential spyware attacks. The goal was to make modern iPhones more secure and reinforce the claim that the iPhone is very hard to hack.
However, there are still many older, outdated iPhones that are now easier targets for spies and cybercriminals using spyware.
There are now essentially two categories of iPhone user security.
Users of the latest iOS 26 running on the latest iPhone 17 models released in 2025 have a new security feature called Memory Integrity Enforcement, which is designed to stop memory corruption errors, some of the most commonly exploited flaws used in spyware and phone unlocking attacks. DarkSword relied heavily on memory corruption bugs, according to Google.
Then there are iPhone users that are still running the previous version of Apple’s mobile software, iOS 18, or even older versions, which were vulnerable to memory-based hacks and other exploits in the past.
Contact us
Do you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
The discovery of Coruna and DarkSword suggests that memory-based attacks could continue to plague users of older iPhones and iPads that lag behind newer, more memory-secure models.
Experts working for iVerify and Lookout, two cybersecurity firms that have a commercial stake in selling mobile security products, Coruna and DarkSword say, may also challenge the long-held assumption that iPhone hacks are rare.
iVerify co-founder Matthias Frielingsdorf told TechCrunch that mobile attacks are now “widespread,” but also said that attacks based on zero-days against the most up-to-date software “will always charge a high price,” implying that they won’t be used to hack people on a large scale.
Patrick Wardle, an Apple security expert, said one problem is that people call iPhone attacks rare or sophisticated just because they’re rarely documented. But the reality, he said, is that these attacks may be out there, but they’re not always caught.
“Calling them ‘highly advanced’ is a bit like calling tanks or missiles advanced,” Wardle told TechCrunch. “True, but it misses the point. This is just the basic skill at this level, and all (most) nations have it (or can get it at the right price).”
Another problem highlighted by Coruna and DarkSword is that there is now a seemingly thriving “second-hand” market, which creates the financial incentive “for exploit developers and individual brokers to essentially get paid twice for the same exploit,” according to Justin Albrecht, principal researcher at Lookout.
Especially when the original exploit is patched, it makes sense for brokers to resell it before updating everyone.
“This is not a one-time event, but rather a sign of things to come,” Albrecht told TechCrunch.
