Apple Urges Immediate iPhone Updates as Advanced Spyware Targets Outdated iOS Versions

In an urgent cybersecurity alert issued Wednesday, Apple warned iPhone users worldwide to immediately update their devices to the latest iOS version after independent researchers uncovered two advanced hacking campaigns—nicknamed DarkSword and Coruna—that exploit critical vulnerabilities in older versions of the operating system. The attacks, linked to Russian state-backed hackers and Chinese cybercriminal syndicates, enable deep remote access to compromised devices, allowing threat actors to extract sensitive data such as text messages, call logs, Wi-Fi passwords, browser history, and even health and calendar information. While Apple emphasized that the exploits cannot affect devices running the latest software, the campaigns underscore a growing threat landscape where sophisticated cyber espionage tools are increasingly accessible to both nation-state actors and criminal enterprises.

• Apple is urging all iPhone users to update to iOS 26 or install a critical patch for older devices to block the DarkSword and Coruna spyware campaigns.
• The exploits, detailed by Google, iVerify, and Lookout, enable hackers to gain deep remote access to phones running outdated iOS versions.
• Targeted groups include Ukrainians (by Russian intelligence), Chinese cryptocurrency users, and individuals in Saudi Arabia, Turkey, and Malaysia—though experts warn the tools could be deployed globally.
• Apple released a special update for older devices unable to upgrade to iOS 26 specifically to neutralize these threats.
• Cybersecurity experts describe the proliferation of such tools as a "lowering of the barrier to entry" for devastating mobile attacks, raising concerns about unchecked surveillance and data theft.

How the DarkSword and Coruna Spyware Campaigns Work

The DarkSword and Coruna hacking tools represent a new generation of advanced mobile malware, designed to exploit previously unknown vulnerabilities in iOS—what cybersecurity professionals call "zero-day" flaws. Both tools operate through a technique known as a "watering hole attack," where hackers compromise or create malicious websites that automatically infect visiting devices by exploiting weaknesses in how iPhones process web traffic.

The Exploit Chain: From Initial Compromise to Full Device Takeover

Once a user visits a compromised website, the exploit kit triggers a multi-stage attack. Coruna, for instance, chains together several vulnerabilities to escalate privileges on the device, eventually gaining root access—effectively turning the phone into a surveillance tool controlled by remote operators. DarkSword follows a similar but distinct chain of exploits, allowing attackers to siphon data in real time, including location history, SIM card information, and even encrypted communications stored in apps like Notes or Calendar.

Unlike earlier iPhone malware, which often required user interaction (such as clicking a malicious link), these latest tools can execute automatically, making detection nearly impossible for average users. As John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, noted, "The scary takeaway for regular users is they can’t spot this attack. It’s silent, it’s invisible, and it’s devastating."

“The barrier to entry for widespread, devastating mobile attacks has been decisively lowered. It’s clear this problem is only going to grow.” — John Scott-Railton, Senior Researcher, Citizen Lab

Who Is Behind the Attacks and Who Is Being Targeted

Cybersecurity investigations by Google, iVerify, and Lookout have traced the origins and deployments of these tools to distinct threat actor groups, each with unique objectives. Russian state-backed hackers—linked to the GRU military intelligence agency—have used both Coruna and DarkSword in targeted campaigns against Ukrainian civilians and military personnel, according to iVerify’s findings. These attacks align with broader patterns of Russian cyber operations during the ongoing war in Ukraine, where digital espionage has become a key component of hybrid warfare.

Chinese Cybercriminals Weaponize Coruna for Cryptocurrency Theft

By summer 2024, Chinese cybercriminals had obtained copies of the Coruna exploit kit, repurposing it to target Chinese cryptocurrency users. Google’s Threat Analysis Group reported that hackers created "a very large set of fake Chinese websites mostly related to finance," luring victims into visiting compromised portals where the malware would silently install. The choice of cryptocurrency as a target reflects its anonymity and irreversibility—once stolen, digital assets are nearly impossible to recover, making them a prime objective for financially motivated cybercriminals.

DarkSword Spreads Across Commercial and State-Sponsored Campaigns

While the origin of DarkSword remains unclear, its use has expanded significantly since late 2023. Google observed multiple commercial surveillance vendors—companies that sell hacking tools to governments—deploying DarkSword in distinct campaigns across Ukraine, Malaysia, Saudi Arabia, and Turkey. This proliferation highlights a disturbing trend: the commoditization of advanced surveillance tools, once reserved for elite nation-state actors, is now within reach of smaller cyber mercenary firms and criminal organizations.

Why Outdated iPhones Are at Risk—and How Apple Responded

Apple has long positioned iPhones as among the most secure consumer devices on the market, thanks to its closed ecosystem, stringent app review process, and rapid software patching cadence. However, the effectiveness of these protections hinges entirely on users keeping their devices updated. Older versions of iOS—particularly those running iOS 15 or earlier—lack the security patches that neutralize the DarkSword and Coruna exploits. As Apple spokesperson Sarah O’Rourke emphasized, "Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices."

Apple’s Emergency Response: iOS 26 and a Special Patch for Older Devices

In response to the revelations, Apple released iOS 26 in September 2024, which includes fixes for the vulnerabilities exploited by DarkSword and Coruna. However, recognizing that many users with older iPhones (such as iPhone 6s or iPhone SE first generation) cannot upgrade to iOS 26 due to hardware limitations, Apple took the unusual step of issuing a dedicated security update last week. This patch specifically blocks the exploit chains used by both spyware tools, providing a critical layer of protection for users who might otherwise remain vulnerable.

The Broader Implications: A New Era of Mobile Surveillance

The emergence of DarkSword and Coruna marks a turning point in mobile cybersecurity. While iPhones have historically been less targeted than Android devices due to Apple’s rigorous security model, the development and deployment of these advanced tools signal a shift. Cybersecurity experts warn that the tools’ availability on underground markets—and their adoption by both state and criminal actors—could democratize mobile surveillance, making such attacks far more common.

The Role of Commercial Surveillance Vendors

Companies like NSO Group have long faced scrutiny for selling Pegasus spyware to governments with poor human rights records. However, a growing ecosystem of smaller firms now offers similar capabilities under the guise of "lawful intercept" tools. These vendors often operate in legal gray areas, selling exploits and spyware to agencies and organizations that may misuse them. The use of DarkSword by multiple commercial providers underscores how this industry has expanded beyond a few high-profile players.

Are Americans at Risk? Experts Warn of Global Reach

To date, there is no public evidence that American iPhone users have been targeted in these specific campaigns. However, cybersecurity researchers caution that the tools are not region-locked. John Scott-Railton of Citizen Lab emphasized that anyone running outdated iOS software—regardless of location—is potentially vulnerable. "It’s not about geography. It’s about software," he said. "If your phone is out of date, it’s a target."

What Users Should Do Immediately to Stay Protected

Apple’s recommendation is clear: update your iPhone now. Users should go to Settings > General > Software Update and install the latest version of iOS. For those with older devices unable to run iOS 26, Apple’s emergency security patch is available via the same update mechanism. Additionally, experts recommend enabling automatic updates to prevent future vulnerabilities from going unpatched.

Additional Security Steps for High-Risk Users

Individuals in professions or regions considered high-risk—such as journalists, activists, or those living in conflict zones—should consider additional precautions. These may include using a virtual private network (VPN) when browsing, avoiding public Wi-Fi networks, and regularly reviewing app permissions. Some security experts also recommend using Apple’s Lockdown Mode, a feature designed to reduce the attack surface for advanced threats.

The Historical Context: Why iPhones Are Now a Prime Target

Apple’s reputation for security stems from its "walled garden" approach: a tightly controlled ecosystem where apps are curated, code is signed, and updates are pushed universally. However, this model is not foolproof. As iPhones have become ubiquitous—with over 1.5 billion active devices globally—they represent a high-value target for both intelligence gathering and financial gain. The shift from focusing on Android to iOS reflects the rising sophistication of attackers and the increasing value of data stored on Apple devices.

Industry Reactions: From Myth to Reality in iPhone Security

The revelation that advanced spyware can compromise iPhones has sent shockwaves through the cybersecurity community. For years, the conventional wisdom held that iPhones were largely immune to such attacks. Rocky Cole, chief operating officer of iVerify, challenged this notion directly. "There’s been this perception in the security community that attacks against iPhones are like mythical beasts—they’re rare," he said. "Nah, we just don’t really have the tools to see these. I have a feeling that it’s more pervasive than people think."

The Future of Mobile Security: Can Apple Keep Up?

As threat actors continue to develop and deploy advanced mobile malware, Apple faces mounting pressure to evolve its security model. The company has historically responded quickly to zero-day disclosures, often patching vulnerabilities within days of public exposure. However, the increasing availability of exploit kits on black markets may force Apple to adopt more proactive measures, such as integrating runtime application self-protection (RASP) or expanding the use of hardware-based security chips like the M-series processors to monitor for anomalous behavior in real time.

Key Takeaways: What You Need to Know

• Apple has issued an urgent warning for all iPhone users to update to the latest iOS version or install a critical security patch, as advanced spyware tools (DarkSword and Coruna) exploit vulnerabilities in older software.
• The campaigns, linked to Russian intelligence and Chinese cybercriminals, enable deep device access, allowing hackers to extract a wide range of sensitive data without user detection.
• While initial targets include Ukrainians, Chinese cryptocurrency users, and individuals in Saudi Arabia, Turkey, and Malaysia, experts warn the tools could be deployed globally against any outdated device.
• Apple released iOS 26 in September 2024 and a special patch for older devices last week to block these specific threats, emphasizing the critical importance of regular software updates.
• Cybersecurity experts describe the proliferation of such tools as a dangerous democratization of mobile surveillance, raising concerns about unchecked espionage and financial theft.

Frequently Asked Questions