Apple Warns of Active iOS Exploit Kits Coruna and DarkSword, Urges Immediate Updates
Apple has issued a security advisory warning iPhone users of two advanced exploit kits Coruna and DarkSword targeting outdated iOS versions. These attacks leverage malicious web content to steal sensitive data, including credentials and cryptocurrency wallet information, through full-chain exploits.
Coruna Exploit Kit: A Highly Engineered Threat
Discovered by Google’s Threat Intelligence Group (GTIG) in February 2025, Coruna (also known as CryptoWaters) is a sophisticated iOS exploit kit containing 23 exploits across five full chains, targeting iPhones running iOS 13.0 through 17.2.1. The kit employs WebKit remote code execution (RCE), pointer authentication (PAC) bypasses, and sandbox escapes, with some exploits using non-public techniques to bypass mitigations.
Key details:
- Initial detection: February 2025, linked to a surveillance vendor’s customer.
- Attack vectors: Malicious links, compromised websites, and watering hole attacks (e.g., Ukrainian government sites).
- Threat actors: Used by UNC6353 (Ukrainian watering hole campaigns), UNC6691 (Chinese financial threat actor), and surveillance vendors.
- Post-exploitation: Deploys PlasmaLoader, a stager that scans for crypto wallets, banking data, and backup phrases, exfiltrating data via encrypted C2 servers.
- Evasion: Avoids devices in Lockdown Mode or private browsing; uses domain generation algorithms (DGA) seeded with "lazarus" for persistence.
Apple patched the vulnerabilities in March 2026, extending protection to iOS 15 and 16 via a Critical Security Update. Devices on iOS 13 or 14 must upgrade to iOS 15+ to mitigate risks.
DarkSword: A New, Aggressive iOS Exploit Chain
Identified by Lookout Threat Labs in late 2025, DarkSword is a zero-day-heavy exploit kit targeting iOS 18.4–18.7, used in campaigns against Saudi Arabia, Turkey, Malaysia, and Ukraine. The kit relies on six vulnerabilities, including three zero-days, to achieve full device compromise with minimal user interaction.
Key details:
- Vulnerabilities exploited:
- CVE-2025-31277 (JavaScriptCore memory corruption, CVSS 8.8)
- CVE-2026-20700 (dyld PAC bypass, CVSS 8.6, zero-day)
- CVE-2025-43529 (JavaScriptCore memory corruption, CVSS 8.8, zero-day)
- CVE-2025-14174 (ANGLE memory corruption, CVSS 8.8, zero-day)
- CVE-2025-43510 & CVE-2025-43520 (iOS kernel memory issues, CVSS 8.6)
- Attackers: Linked to UNC6353, a suspected Russian-aligned group targeting Ukrainian sites; also used by surveillance vendors and nation-state actors.
- Tactics: "Hit-and-run" exfiltration steals data within seconds to minutes, then cleans traces.
- Targets: Crypto wallets, credentials, and financial data; observed on fake financial/crypto sites via hidden iframes.
- Infrastructure: Poor obfuscation and AI-assisted code suggest reliance on third-party exploits, possibly from Russian ecosystems.
Apple’s Response and Mitigations
Apple released emergency patches on March 11, 2026, addressing the vulnerabilities in iOS 15–18. Key protections:
- Latest iOS versions are immune to both exploit kits.
- Lockdown Mode blocks attacks, even on older systems.
- Safari’s Safe Browsing blocks known malicious domains by default.
- iOS 13/14 users must upgrade to iOS 15+ and apply the Critical Security Update.
Broader Implications
The emergence of Coruna and DarkSword highlights:
- Exploit proliferation: Advanced iOS exploits are now commoditized, reused by multiple threat actors (surveillance vendors, nation-states, cybercriminals).
- Financial and espionage motives: Actors blend crypto theft with intelligence gathering (e.g., UNC6353’s dual targeting).
- Secondary exploit markets: Zero-days are brokered and repurposed, extending their lifespan beyond initial discovery.
Google and Lookout have published Indicators of Compromise (IOCs) and Yara rules to aid detection. The incidents underscore the critical need for timely iOS updates to counter evolving threats.
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "APP1774247546",
"linkid": "apple",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'iPhone users running iOS 13.0 '
'through 18.7',
'industry': 'Consumer Electronics',
'location': 'Global',
'name': 'Apple',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': ['Malicious links',
'Compromised websites',
'Watering hole attacks',
'Hidden iframes'],
'customer_advisories': 'Urgent update notifications sent to iPhone users',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Cryptocurrency wallet '
'information',
'Banking data',
'Backup phrases']},
'date_detected': '2025-02',
'date_publicly_disclosed': '2026-03-11',
'date_resolved': '2026-03-11',
'description': 'Apple has issued a security advisory warning iPhone users of '
'two advanced exploit kits, Coruna and DarkSword, targeting '
'outdated iOS versions. These attacks leverage malicious web '
'content to steal sensitive data, including credentials and '
'cryptocurrency wallet information, through full-chain '
'exploits.',
'impact': {'brand_reputation_impact': 'Potential damage due to security '
'vulnerabilities',
'data_compromised': ['Credentials',
'Cryptocurrency wallet information',
'Banking data',
'Backup phrases',
'Personally identifiable information'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': ['iOS devices (iPhones)']},
'initial_access_broker': {'entry_point': ['Malicious links',
'Compromised websites',
'Watering hole attacks'],
'high_value_targets': ['Crypto wallets',
'Banking data',
'Credentials']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The emergence of Coruna and DarkSword highlights the '
'commoditization of advanced iOS exploits, the blending of '
'financial and espionage motives, and the critical need '
'for timely iOS updates to counter evolving threats.',
'motivation': ['Financial gain', 'Espionage', 'Intelligence gathering'],
'post_incident_analysis': {'corrective_actions': ['Emergency patches',
'Lockdown Mode enhancements',
'Upgrade requirements for '
'older iOS versions'],
'root_causes': ['Unpatched iOS vulnerabilities',
'Exploit commoditization',
'Third-party exploit brokering']},
'recommendations': ['Upgrade to the latest iOS version immediately',
'Enable Lockdown Mode for high-risk users',
'Use Safari’s Safe Browsing to block malicious domains',
'Monitor for Indicators of Compromise (IOCs) provided by '
'Google and Lookout'],
'references': [{'source': 'Google’s Threat Intelligence Group (GTIG)'},
{'source': 'Lookout Threat Labs'},
{'source': 'Apple Security Advisory'}],
'response': {'communication_strategy': 'Security advisory issued to users',
'containment_measures': ['Emergency patches for iOS 15–18',
'Lockdown Mode'],
'incident_response_plan_activated': 'Yes',
'remediation_measures': ['Critical Security Update for iOS 15 '
'and 16',
'Upgrade requirement for iOS 13/14 '
'users'],
'third_party_assistance': ['Google’s Threat Intelligence Group '
'(GTIG)',
'Lookout Threat Labs']},
'stakeholder_advisories': 'Security advisory issued to users and stakeholders',
'threat_actor': ['UNC6353',
'UNC6691',
'Surveillance vendors',
'Russian-aligned group'],
'title': 'Apple Warns of Active iOS Exploit Kits Coruna and DarkSword, Urges '
'Immediate Updates',
'type': ['Exploit Kit', 'Data Theft'],
'vulnerability_exploited': ['WebKit remote code execution (RCE)',
'Pointer authentication (PAC) bypasses',
'Sandbox escapes',
'CVE-2025-31277',
'CVE-2026-20700',
'CVE-2025-43529',
'CVE-2025-14174',
'CVE-2025-43510',
'CVE-2025-43520']}