By Titik Puspa 
The long-held belief within the iPhone security community has been that breaching Apple’s robust defenses to develop exploits and uncover vulnerabilities is an arduous, resource-intensive endeavor, typically requiring dedicated teams of highly skilled researchers. This perception led to the common assumption that sophisticated threats like iPhone spyware and zero-day vulnerabilities – flaws unknown to the vendor before exploitation – were rare, reserved for highly targeted and limited attacks, a sentiment echoed by Apple itself. However, recent revelations by cybersecurity researchers from Google, iVerify, and Lookout paint a starkly different picture, exposing broad-scale hacking campaigns that are indiscriminately targeting iPhone users worldwide, particularly those not running the latest iOS software.
In the past month alone, these researchers have meticulously documented the widespread deployment of advanced hacking tools, identified as Coruna and DarkSword. These sophisticated toolkits are being wielded by malicious actors, including Russian intelligence operatives and Chinese cybercriminals, to compromise a vast number of iPhone users. The attackers employ a range of deceptive tactics, such as directing victims to compromised websites or meticulously crafted phishing pages, which then facilitate the potential exfiltration of sensitive personal data from a broad spectrum of unsuspecting individuals. The implications of these findings are profound, suggesting a significant erosion of the perceived invincibility of the iPhone’s security posture, especially for users who have not kept their devices updated.
Adding a critical layer of urgency to this unfolding crisis, elements of these powerful hacking tools have now been publicly leaked online. This alarming development means that the code, once the exclusive domain of state-sponsored actors and sophisticated criminal organizations, is now accessible to anyone with the technical inclination and a desire to exploit it. This democratization of advanced hacking capabilities dramatically lowers the barrier to entry for launching attacks against Apple users, particularly those who remain on older, unpatched versions of iOS. The potential for widespread, opportunistic attacks has escalated significantly, transforming a perceived niche threat into a far more pervasive and accessible danger.
Apple has undeniably made substantial investments in bolstering its security infrastructure, continuously integrating new technologies and development practices to fortify its devices. The introduction of memory-safe code for its latest iPhone models represents a significant step towards mitigating a common class of vulnerabilities. Furthermore, features like Lockdown Mode, specifically designed to counteract potential spyware attacks, underscore Apple’s commitment to protecting its users. The overarching objective has been to enhance the security of modern iPhones and to reinforce the narrative that the iPhone is exceptionally difficult to compromise.
However, this robust security, while impressive on newer devices, has inadvertently created a discernible security dichotomy among iPhone users. A substantial segment of the user base continues to operate older, out-of-date iPhones, which have now become significantly more vulnerable and attractive targets for spyware-wielding adversaries and cybercriminals. This creates a scenario where there are effectively two distinct classes of iPhone security: those operating on the cutting edge and those lagging behind, with vastly different levels of protection.
Users equipped with the latest iPhone models, running the most recent iteration of iOS 26 (released in 2025), benefit from advanced security measures. A prime example is the newly implemented Memory Integrity Enforcement feature. This cutting-edge technology is specifically engineered to thwart memory corruption bugs, which are among the most frequently exploited vulnerabilities in spyware and phone unlocking attacks. Google’s research into DarkSword, for instance, explicitly highlights the tool’s heavy reliance on these very memory corruption bugs, underscoring the effectiveness of Apple’s new defenses against such tactics.
Conversely, a significant portion of the iPhone user base continues to operate on older software versions, such as iOS 18 or even earlier iterations. These devices, by virtue of their outdated software, remain susceptible to memory-based hacks and a host of other exploits that have been patched or mitigated in the latest releases. This creates a fertile ground for attackers who can leverage known vulnerabilities that have not been addressed on these older devices, making them significantly easier targets for malicious actors.
The discovery and analysis of Coruna and DarkSword strongly suggest that memory-based attacks will continue to pose a significant threat to users of older iPhones and iPads. These devices, which are not equipped with the advanced memory-safe architectures found in newer models, are inherently more vulnerable to exploitation. This trend points towards a persistent challenge for Apple, as it grapples with supporting a diverse ecosystem of devices with varying security postures.
Experts from iVerify and Lookout, both prominent cybersecurity firms with a commercial interest in mobile device security solutions, assert that the emergence of Coruna and DarkSword may also challenge the long-standing assumption that iPhone hacks are a rare occurrence. Their findings indicate a broader and more pervasive threat landscape than previously understood.
Matthias Frielingsdorf, co-founder of iVerify, articulated this shift in perspective, stating that mobile attacks are now "widespread." While acknowledging that attacks leveraging zero-day exploits against the most up-to-date software will "always be charged at a premium rate," implying their limited use in broad-scale attacks, he emphasized the growing prevalence of less sophisticated, but still highly effective, attack vectors. This suggests a tiered approach to exploitation, where readily available exploits target the less protected masses, while highly advanced, novel exploits are reserved for high-value targets.
Patrick Wardle, a respected Apple security expert, offered further insight into why these attacks might be underestimated. He posited that the rarity or sophistication of iPhone attacks is often misconstrued simply because they are infrequently documented. In reality, Wardle suggests, these attacks may be prevalent but often go unnoticed or unreported, leading to a skewed perception of their frequency and accessibility.
"Calling them ‘highly advanced’ is a bit like calling tanks or missiles advanced," Wardle explained to TechCrunch. "It’s true, but it misses the point. That’s simply the baseline capability at that level, and all (most) nations have them (or can acquire them for the right price)." This analogy highlights that what might be considered "advanced" in the consumer realm is, in fact, a standard toolset for state-level actors and sophisticated criminal enterprises, readily available to those with the resources to acquire them.
Another critical issue brought to light by the Coruna and DarkSword incidents is the existence of a seemingly thriving "second-hand" market for exploits. Justin Albrecht, a principal researcher at Lookout, explained that this market creates a strong financial incentive for exploit developers and individual brokers to profit multiple times from the same exploit. This is particularly true when an initial exploit is patched by Apple. In such scenarios, brokers have a compelling reason to resell the exploit to new buyers before the widespread adoption of the patch makes it obsolete.
"This isn’t a one-time event, but rather a sign of things to come," Albrecht cautioned, underscoring the cyclical and persistent nature of this exploit resale economy. This dynamic ensures a continuous supply of hacking tools, even as Apple works to patch vulnerabilities, creating an ongoing arms race in the cybersecurity domain. The financial incentives within this ecosystem fuel the development and dissemination of new exploits, making it a formidable challenge to stay ahead of malicious actors.
The implications of these leaked tools and the documented broad-scale attacks are far-reaching. They dismantle the comforting narrative of the iPhone’s near-impenetrability for the average user and highlight a critical security divide based on software updates. As these sophisticated tools become more accessible, the responsibility falls increasingly on individual users to ensure their devices are running the latest, most secure versions of iOS to avoid becoming the next victim of these pervasive and evolving threats. The battle for iPhone security has clearly entered a new, more challenging phase, where sophisticated threats are no longer the exclusive domain of elite actors but are becoming increasingly democratized and weaponized against a global user base.