Security researchers report a shift in iPhone threat patterns, with newly identified tools enabling broader attacks against users running outdated software, challenging assumptions that iOS exploits are rare and highly targeted.
Findings from teams at Google, iVerify, and Lookout describe multiple hacking campaigns using tools known as Coruna and DarkSword. These tools have been used to target users globally, particularly those not running the latest version of Apple’s mobile operating system.
Emergence Of Broad Scale Exploitation Tools
The campaigns involve attackers linked to Russian state actors and Chinese cybercriminal groups, who deploy exploits through compromised websites or fraudulent pages. These methods allow access to sensitive data from a wide pool of victims rather than a limited set of targets.
Some versions of these tools have leaked online, making them accessible beyond their original developers. This increases the likelihood that additional attackers can reuse the code to launch similar operations.
Two Distinct Security Levels Among Users
The research highlights a growing divide in device security. Users running the latest iOS 26 on newer devices such as the iPhone 17 benefit from features like Memory Integrity Enforcement, designed to prevent memory corruption vulnerabilities commonly used in spyware attacks.
By contrast, users on older versions, including iOS 18 and earlier, remain exposed to known exploit techniques. Researchers said tools such as DarkSword rely heavily on memory-based vulnerabilities, which continue to affect devices without updated protections.
Changing Perception Of iPhone Security
Researchers said the availability of these tools challenges the perception that iPhone attacks are rare. Matthias Frielingsdorf said mobile attacks are now widespread, though the use of zero-day exploits against fully updated systems remains costly and less common at scale.
Patrick Wardle said the limited visibility of such attacks has contributed to the perception of rarity, noting that many incidents may go undetected.
Emerging Market For Exploits
Researchers also identified a growing secondary market for exploit tools. Justin Albrecht said developers and brokers can resell exploits after initial use, particularly once vulnerabilities are patched but before users update their devices.
This dynamic creates ongoing financial incentives for exploit development and distribution, increasing the likelihood of repeated use across different campaigns.
Ongoing Security Efforts And Limitations
Apple has introduced measures such as memory-safe code and Lockdown Mode to strengthen device security. These efforts aim to reduce the attack surface and limit the effectiveness of common exploit techniques.
However, the continued use of older devices and delayed software updates leave a significant portion of users vulnerable to evolving attack methods.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.