Recent cybersecurity findings have prompted Apple to urge users to update their iPhones, following evidence that advanced hacking tools are being used to compromise devices running older versions of its operating system.
The tools—referred to as “DarkSword” and “Coruna”—have been analyzed in recent reports by Google, along with cybersecurity firms iVerify and Lookout. Classified as exploit kits, they are capable of granting attackers extensive remote access to targeted devices, allowing them to extract sensitive personal data.
According to iVerify, DarkSword appears designed for surveillance purposes, with the capability to collect a wide range of information. This includes login credentials such as Wi-Fi passwords, communication records like messages and call logs, location data, browsing activity, and even personal app data stored in notes, calendars, and health applications.
Apple has responded by emphasizing that these tools are effective only against devices that have not been updated to the latest software. Company spokesperson Sarah O’Rourke underscored that maintaining up-to-date software remains the most critical step users can take to protect their devices.
The findings have raised broader concerns within the cybersecurity community. While Apple devices are often perceived as more secure than competing platforms, experts note that this protection depends heavily on timely software updates. Devices running outdated systems may still be vulnerable to sophisticated attacks.
Research into these campaigns suggests that specific groups have been targeted, including individuals in Ukraine, Chinese cryptocurrency users, and users in countries such as Saudi Arabia, Turkey, and Malaysia. Although there is no confirmed evidence of attacks against U.S. users, researchers caution that any unpatched device could potentially be exploited.
Apple states that its latest operating system, iOS 26—released in September—addresses the vulnerabilities used by these tools. In an uncommon move, the company also issued a targeted security update for older iPhones that are unable to upgrade fully, aiming to close these security gaps.
The attacks themselves rely on a technique known as a “watering hole” attack. In this method, attackers compromise or create websites embedded with malicious code that exploits how devices handle web traffic. When users visit these sites, vulnerable phones can be infected without requiring additional interaction.
Despite these developments, experts note that successfully breaching an iPhone remains technically complex. The attacks involve multiple coordinated vulnerabilities working together, reflecting a high level of sophistication.
Investigations into the origins of the tools reveal links to both state and criminal actors. Coruna, for example, has been traced back to a former executive at a defense contractor who admitted to selling hacking software to a Russian intermediary. The tool was later used in operations attributed to Russian intelligence targeting Ukrainian individuals. Subsequent reports indicate that Chinese cybercriminal groups later obtained the tool and used it to build fraudulent financial websites aimed at stealing cryptocurrency.
Cryptocurrencies are considered particularly attractive targets due to the difficulty of reversing transactions once funds are transferred.
The origins of DarkSword remain unclear, though it has also been associated with Russian-linked operations. Researchers report that its use has expanded, with variations observed in multiple regions and among both state-affiliated actors and private surveillance vendors.
Industry experts say the campaigns challenge the notion that iPhones are inherently resistant to hacking. While such attacks were once considered rare, some researchers believe they may be more widespread than previously understood, with limited visibility contributing to underreporting.
