\n<\/p>\n
Security researchers have uncovered a series of cyberattacks targeting Apple customers across the world. The tools used in these hacking campaigns have been dubbed Coruna<\/a> and DarkSword<\/a>, and they have been used by both government spies and cybercriminals to steal data from people\u2019s iPhones and iPads.\u00a0<\/p>\n It\u2019s rare to see widespread hacks targeting iPhone and iPad users. In the last decade, the only precedents have been attacks against Uyghurs Muslims in China<\/a>, and against people in Hong Kong<\/a>.<\/p>\n Now, some of these powerful hacking tools have leaked online<\/a>, potentially putting hundreds of millions of iPhones and iPads running out-of-date software at risk of data thefts.<\/p>\n We are breaking down what we know and what we don\u2019t about these latest iPhone and iPad hacking threats, and what you can do to stay protected.<\/p>\n Coruna and DarkSword are two sets of advanced hacking toolkits that each contain a range of exploits capable of breaking into iPhones and iPads and stealing a person\u2019s data, such as their messages, browser data, location history, and cryptocurrency.<\/p>\n Security researchers who discovered the toolkits say Coruna\u2019s exploits can hack iPhones and iPads running iOS 13 through iOS 17.2.1, which was released in December 2023.\u00a0<\/p>\n DarkSword, however, contains exploits capable of hacking iPhones and iPads with more recent devices running iOS 18.4 and 18.7, released in September 2025, according to security researchers with Google who are investigating the code.<\/p>\n But the threat from DarkSword is more immediate to the general public. Someone leaked part of DarkSword and published it on code-sharing site GitHub<\/a>, making it easy for anyone to download the malicious code and launch their own attacks targeting Apple users running older versions of iOS.\u00a0<\/p>\n These types of attacks are by definition indiscriminate and dangerous, as they can ensnare anyone who visits a certain website hosting the malicious code.<\/p>\n \t\t\tDo you have more information about DarkSword, Coruna, or other government hacking and spyware tools? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email<\/a>.<\/a> \t\t<\/div>\n In some cases, victims can be hacked simply by visiting a legitimate website under the control of malicious hackers.<\/p>\n When victims are initially infected, Coruna and DarkSword exploit several vulnerabilities in iOS that let hackers virtually take full control of the target\u2019s device, allowing them to steal the person\u2019s private data. The data is then uploaded to a web server run by the hackers.\u00a0<\/p>\n At least some parts of the Coruna toolkit, as TechCrunch previously reported<\/a>, were originally developed by Trenchant, a hacking and spyware unit within U.S. defense contractor L3Harris, which sells exploits to the U.S. government and its top allies.<\/p>\n Kaspersky has also linked two exploits in Coruna\u2019s toolkit to Operation Triangulation<\/a>, a complex and likely government-led cyberattack allegedly carried out against Russian iPhone users<\/a>.<\/p>\n After Trenchant developed Coruna \u2014 somehow, it\u2019s not clear how \u2014 these exploits found their way into the hands of Russian spies and Chinese cybercriminals, perhaps through one or several intermediaries who sell exploits on the underground market.\u00a0<\/p>\n Coruna\u2019s travels show again that powerful hacking tools, including those developed for the U.S. under tight secrecy restrictions, can leak and proliferate out of control.\u00a0<\/p>\n One example of this was in 2017 when an exploit developed by the U.S. National Security Agency, which was capable of remotely breaking into Windows computers around the world, leaked online. The same exploit was then used in the destructive WannaCry ransomware attack<\/a>, which indiscriminately hacked<\/a> hundreds of thousands of computers across the world.\u00a0<\/p>\n In the case of DarkSword, researchers have observed attacks targeting users in China, Malaysia, Turkey, Saudi Arabia, and Ukraine. It remains unclear who originally developed DarkSword, how it ended up with different hacking groups, or how the tools were leaked online.<\/p>\n It\u2019s unclear who leaked and published online to GitHub, or for what reason.<\/p>\n The hacking tools, which TechCrunch has seen, are written in the web languages HTML and JavaScript, making them relatively easy to configure and self-host anywhere by anyone wanting to launch malicious attacks. (TechCrunch is not linking to GitHub as the tools can be used in malicious attacks.) Researchers posting on X<\/a> have already tested the leaked tools by hacking into their own Apple devices running vulnerable versions of the company\u2019s software.<\/p>\n DarkSword is now \u201cessentially plug-and-play,\u201d as Justin Albrecht, principal researcher at mobile security firm Lookout, explained to TechCrunch.\u00a0<\/p>\n GitHub told TechCrunch that it has not taken down the leaked code, but will preserve it for security research.<\/p>\n \u201cGitHub\u2019s Acceptable Use Policies prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,\u201d GitHub\u2019s online safety counsel Jesse Geraci told TechCrunch. \u201cHowever, we do not prohibit the posting of source code which could be used to develop malware or exploits, as the publication and distribution of such source code has educational value and provides a net benefit to the security community.\u201d<\/p>\n If you have an iPhone or iPad that is not up to date, you should consider updating immediately.<\/p>\n Apple told TechCrunch that users running the latest versions of iOS 15 through iOS 26 are already protected.<\/p>\n According to iVerify:<\/a> \u201cWe strongly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities that have been exploited in these attack chains.\u201d<\/p>\n According to Apple\u2019s own statistics<\/a>, almost one-in-three iPhone and iPad users are still not running the latest iOS 26 software. That means there are potentially hundreds of millions of devices vulnerable to these hacking tools, since Apple touts more than 2.5 billion<\/a> active devices around the world.\u00a0<\/p>\n Apple also said that devices running Lockdown Mode, an opt-in extra security feature first introduced in iOS 16<\/a>, also blocks these specific attacks.\u00a0<\/p>\n Lockdown Mode is helpful for journalists, dissidents, human rights activists, and anyone who thinks they may be targeted for who they are, or the work that they do.\u00a0<\/p>\n While Lockdown Mode is not perfect<\/a>, there has been no public evidence that hackers have to date ever been able to bypass its protections. (We asked Apple if that claim still holds true, and will update if we hear back.) Lockdown Mode was found to have prevented<\/a> at least one attempt to plant spyware on a human rights defender\u2019s phone.<\/p>\n<\/div>\nWhat are Coruna and DarkSword?<\/strong><\/h2>\n
How do Coruna and DarkSword work?<\/strong><\/h2>\n
Contact Us<\/h4>\n
Is my iPhone or iPad vulnerable to DarkSword?<\/strong><\/h2>\n
What if I can\u2019t or don\u2019t want to upgrade to iOS 26?<\/strong><\/h2>\n