The post OpenAI and Semiconductor Titans Join Forces to Build the First AI Agent Smartphone appeared first on Daily CyberSecurity.

O DarkSword e o Coruna são novas ferramentas utilizadas em ataques invisíveis a dispositivos iOS. Esses ataques não exigem interação do usuário e já estão sendo usados em larga escala por agentes mal-intencionados. Antes do surgimento dessas ameaças, a maioria dos usuários do iPhone não precisava se preocupar com a segurança de dados. Poucos grupos realmente se preocupavam com isso, como políticos, ativistas, diplomatas, executivos de negócios de alto nível e pessoas que lidam com dados extremamente confidenciais, já que eles poderiam vir a ser alvos de agências de inteligência estrangeiras. Já discutimos spywares avançados usados contra esses grupos anteriormente, e observamos como era raro encontrá-los.

No entanto, o DarkSword e o Coruna, descobertos por pesquisadores no início deste ano, são revolucionários. Esses malwares estão sendo usados em infecções em massa de usuários comuns. Nesta postagem, explicamos por que essa mudança ocorreu, os riscos dessas ferramentas e como se proteger.

O que sabemos sobre o DarkSword e como ele pode infectar o seu iPhone

Em meados de março de 2026, três equipes de pesquisa diferentes coordenaram a divulgação das suas descobertas sobre um novo spyware chamado de DarkSword. Essa ferramenta é capaz de invadir silenciosamente dispositivos com o iOS 18, sem que o usuário perceba que algo está errado.

Primeiro, devemos esclarecer uma coisa: o iOS 18 não é tão antigo quanto parece. Embora a versão mais recente seja o iOS 26, a Apple revisou recentemente o sistema de versões, surpreendendo a todos. A empresa decidiu avançar oito versões (da 18 diretamente para a 26) para que o número do sistema operacional correspondesse ao ano atual. Apesar disso, a Apple estima que cerca de um quarto de todos os dispositivos ativos ainda executam o iOS 18 ou uma versão anterior.

Agora que isso já foi esclarecido, vamos voltar a falar sobre o DarkSword. A pesquisa mostra que esse malware infecta as vítimas quando elas visitam sites perfeitamente legítimos que contêm códigos maliciosos. O spyware se instala sem qualquer interação do usuário: basta acessar uma página comprometida. Isso é conhecido como técnica de infecção zero clique. Os pesquisadores relatam que milhares de dispositivos já foram infectados desta forma.

Para comprometer um dispositivo, o DarkSword usa uma cadeia de exploits com seis vulnerabilidades para evitar o sandbox, aumentar privilégios e executar código. Assim que o dispositivo é infectado, o malware consegue coletar dados, incluindo:

• Senhas
• Fotos
• Conversas e dados do iMessage, WhatsApp e Telegram
• Histórico do navegador
• Informações dos aplicativos Calendário, Notas e Saúde da Apple

Além disso, o DarkSword coleta dados de carteiras de criptomoedas, atuando como malware de dupla finalidade para espionagem e roubo de criptoativos.

A única boa notícia é que o spyware não sobrevive a uma reinicialização. O DarkSword é um malware sem arquivo, o que significa que ele vive na RAM do dispositivo e nunca se incorpora ao sistema de arquivos.

Coruna: direcionado às versões mais antigas do iOS

Apenas duas semanas antes da descoberta do DarkSword se tornar pública, os pesquisadores revelaram outra ameaça que tinha o iOS como alvo, chamada de Coruna. Esse malware consegue comprometer dispositivos que executam softwares mais antigos, especificamente as versões 13 a 17.2.1 do iOS. O método utilizado pelo Coruna é exatamente igual ao do DarkSword: as vítimas visitam um site legítimo injetado com código malicioso que, em seguida, infecta o dispositivo delas com o malware. Todo o processo é completamente invisível e não requer interação do usuário.

Uma análise detalhada do código do Coruna revelou que ele explora 23 vulnerabilidades distintas do iOS, várias delas localizadas no WebKit da Apple. Vale lembrar que, de um modo geral (fora da UE), todos os navegadores iOS precisam usar o mecanismo WebKit. Isso significa que essas vulnerabilidades não afetam apenas os usuários do Safari, mas também qualquer pessoa que use outros navegadores no iPhone.

A versão mais recente do Coruna, assim como o DarkSword, inclui modificações projetadas para drenar carteiras de criptomoedas. Ele também coleta fotos e, em alguns casos, informações de e-mails. Ao que tudo indica, roubar criptomoedas parece ser o principal motivo da implementação generalizada do Coruna.

Quem criou o Coruna e o DarkSword, e como eles foram disseminados?

A análise do código de ambas as ferramentas sugere que o Coruna e o DarkSword provavelmente foram desenvolvidos por grupos diferentes. No entanto, ambos são softwares criados por empresas patrocinadas pelo governo, possivelmente dos EUA. Isso se reflete na alta qualidade do código: não são kits montados com partes aleatórias, mas exploits projetados de forma uniforme. Em algum momento, essas ferramentas vazaram e foram parar nas mãos de gangues de cibercriminosos.

Os especialistas da GReAT, da Kaspersky, analisaram todos os componentes do Coruna e confirmaram que o kit de exploração é uma versão atualizada da estrutura usada na Operação Triangulação. Esse ataque anterior tinha como alvo os funcionários da Kaspersky, uma história que abordamos em detalhes neste blog.

Uma teoria sugere que um funcionário da empresa que desenvolveu o Coruna vendeu o malware para hackers. Desde então, ele tem sido usado para drenar carteiras de criptomoedas de usuários na China. Alguns especialistas estimam que pelo menos 42 mil dispositivos foram infectados somente neste país.

Quanto ao DarkSword, os cibercriminosos já o usaram para infectar dispositivos de usuários na Arábia Saudita, Turquia e Malásia. O problema se agrava pelo fato de que os invasores que implementaram o DarkSword deixaram o código-fonte completo nos sites infectados, facilitando a detecção dele por outros grupos criminosos.

O código também inclui comentários detalhados explicado exatamente o que faz cada componente, reforçando a hipótese de que ele surgiu no Ocidente. Essas instruções detalhadas tornam mais fácil para outros hackers adaptarem a ferramenta para interesses próprios.

Como se proteger do Coruna e do DarkSword

Dois malwares poderosos que permitem a infecção em massa de iPhones sem exigir qualquer interação do usuário caíram nas mãos de um grupo essencialmente ilimitado de cibercriminosos. Para ser infectado pelo Coruna ou pelo DarkSword, basta que você visite o site errado na hora errada. Portanto, este é um daqueles casos em que todos os usuários precisam levar a sério a segurança do iOS, não apenas aqueles que pertencem a grupos de alto risco.

A melhor coisa a fazer para se proteger do Coruna e do DarkSword é atualizar assim que possível os dispositivos para a versão mais recente do iOS ou do iPadOS 26. Se isso não for possível (por exemplo, se o dispositivo for mais antigo e não compatível com o iOS 26), ainda assim é recomendado baixar a versão mais recente disponível. Especificamente, procure as versões 15.8.7, 16.7.15 ou 18.7.7. A Apple aplicou correções em vários sistemas operacionais mais antigos, o que é raro.

Para proteger os dispositivos Apple contra malwares semelhantes que provavelmente aparecerão no futuro, recomendamos fazer o seguinte:

• Instale as atualizações em todos os dispositivos da Apple o quanto antes. A empresa lança regularmente versões do SO que corrigem vulnerabilidades conhecidas. Não as ignore.
• Ative a opção Otimização de segurança em segundo plano. Esse recurso permite que o dispositivo receba correções de segurança críticas além das atualizações completas do iOS, reduzindo o risco de exploração de vulnerabilidades pelos hackers. Para ativá-lo, vá para Configurações → Privacidade e segurança → Otimização de segurança em segundo plano e ative a opção Instalar automaticamente.
• Considere usar o Modo de bloqueio. Essa é uma configuração de segurança reforçada que, apesar de limitar alguns recursos do dispositivo, bloqueia ou restringe ataques de forma significativa. Para ativá-lo, vá para Configurações → Privacidade e segurança → Modo de bloqueio → Ativar o Modo de bloqueio.
• Reinicie o dispositivo uma vez por dia (ou mais). Isso interrompe a atuação de malwares sem arquivo, pois essas ameaças não são incorporadas ao sistema e desaparecem após a reinicialização.
• Use o armazenamento criptografado para dados confidenciais. Mantenha chaves de carteiras de criptomoedas, fotos de documentos e dados confidenciais em um local seguro. Kaspersky Password Manager é uma ótima opção para isso, pois gerencia suas senhas, tokens de autenticação de dois fatores e chaves de acesso em todos os dispositivos, mantendo notas, fotos e documentos sincronizados e criptografados.

A ideia de que os dispositivos da Apple são à prova de balas é um mito. Eles são vulneráveis a ataques de zero clique, cavalos de Troia e técnicas de infecção ClickFix. Além disso, aplicativos maliciosos já foram encontrados na App Store mais de uma vez. Leia mais aqui:

• Predador vs. iPhone: a arte da vigilância invisível
• AirBorne: Ataques a dispositivos da Apple através de vulnerabilidades no AirPlay
• Os seus fones de ouvido Bluetooth estão espionando você?
• O trojan para roubo de dados SparkCat penetra na App Store e no Google Play para roubar dados de fotos
• Banshee: um malware de roubo de dados que persegue usuários do macOS

Apple patched an iPhone notification bug that let deleted messages linger in system storage, closing a privacy gap exposed by an FBI Signal case.

The post Apple Fixes iPhone Bug After FBI Retrieved Signal Messages appeared first on TechRepublic.

404 Media reports (alternate site):

The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database….

The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.

“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.

EDITED TO ADD (4/24): Apple has patched this vulnerability.

An Apple account notification has been exploited in a new email phishing attack that comes with a fake iPhone purchase claim.

The post New Apple Phishing Scam Uses Fake $899 iPhone Purchase Alert appeared first on TechRepublic.

The post The Encryption Ghost: How the FBI Recovers “Deleted” Signal Messages from iPhone Caches appeared first on Daily CyberSecurity.

Wired writes (alternate source):

Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers...

The post Possible US Government iPhone Hacking Tool Leaked appeared first on Security Boulevard.

The post The Return of Operation Triangulation: Coruna Exploit Kit Targets M3 and A17 Chips in Massive iOS Offensive appeared first on Daily CyberSecurity.

Wired writes (alternate source):

Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.

[…]

Coruna’s code also appears to have been originally written by English-speaking coders, notes iVerify’s cofounder Rocky Cole. “It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” Cole tells WIRED. “This is the first example we’ve seen of very likely US government tools­based on what the code is telling us­spinning out of control and being used by both our adversaries and cybercriminal groups.”

TechCrunch reports that Coruna is definitely of US origin:

Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company’s hacking and surveillance tech division, Trenchant. The two former employees both had knowledge of the company’s iPhone hacking tools. Both spoke on condition of anonymity because they weren’t authorized to talk about their work for the company.

It’s always super interesting to see what malware looks like when it’s created through a professional software development process. And the TechCrunch article has some speculation as to how the US lost control of it. It seems that an employee of L3Harris’s surviellance tech division, Trenchant, sold it to the Russian government.

The post The Great iOS Update: Dual Accounts, AI Magic, and Storage Surgery Finally Hit WhatsApp for iPhone appeared first on Daily CyberSecurity.

Russia-linked TA446 is using the DarkSword iOS exploit kit in targeted phishing campaigns to compromise iPhone users.

Russia-linked APT group TA446 (aka SEABORGIUM, ColdRiver, Callisto, and Star Blizzard) is using the DarkSword exploit kit in targeted spear-phishing campaigns against iOS devices. The attacks rely on malicious emails to compromise iPhones, highlighting a growing threat from advanced state-sponsored actors.

TA446 has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT group primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

The group primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. The APT also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

SEABORGIUM’s campaigns begin with a reconnaissance activity of target individuals, with a focus on identifying their contacts on social networks or the sphere of influence.

Proofpoint researchers have directly observed a phishing campaign attributed with high confidence to TA446. While the group had not previously targeted iCloud accounts or Apple devices, the use of the leaked DarkSword exploit kit now enables attacks against iOS users. Researchers also note that TA446’s activity does not overlap with UNC6353, confirming it as a distinct threat actor.

Malfors researchers also observed a targeted campaign delivering DarkSword RCE (GHOSTBLADE) via fake Atlantic Council “discussion invitation” emails.

On March 26, 2026, Proofpoint observed a surge in emails attributed to Russia-linked TA446, spoofing the Atlantic Council. The campaign showed higher-than-usual activity, previously delivering the MAYBEROBOT backdoor via password-protected ZIP files. In this wave, attackers used links instead of attachments. Analysis led to a benign PDF decoy, likely due to server-side filtering that redirected only iPhone users to the exploit kit, indicating targeted delivery tactics.

“New reports on TA446 using the DarkSword iOS exploit kit were intriguing.” continues ProofPoint. “The DarkSword iOS exploit kit was recently published on GitHub, but Proofpoint had not yet observed it in use in the wild. A DarkSword loader uploaded to VirusTotal (MD5: 5fa967dbef026679212f1a6ffa68d575) referenced escofiringbijou[.]com, a TA446 second-stage domain independently observed by Proofpoint, corroborating the group’s use of DarkSword.”

Analysis via URLScan confirmed that a TA446-controlled domain was delivering the DarkSword exploit kit, including redirector, loader, RCE, and PAC bypass components. However, the researchers haven’t observed any sandbox escapes in the attacks. The researchers identified additional compromised domains, such as motorbeylimited[.]com and bridetvstreaming[.]org. Notably, only the March 26 campaign spoofing the Atlantic Council has been linked to DarkSword, while earlier TA446 activity showed no use of exploits.

“Proofpoint did not directly observe the iOS exploit kit delivery but believe the actor has adopted the exploit kit for the purposes of credential harvesting and intelligence collection.” conclude the researchers. “The targeting Proofpoint observed in the email campaigns was much wider than usual and included government, think tank, higher education, financial, and legal entities, indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set. This is a notable adoption, as Proofpoint has not previously observed TA446 targeting iOS devices.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TA446)

TA446, a Russia-linked espionage group, has started using the DarkSword exploit kit to compromise iOS devices in a new phishing wave that abuses Atlantic Council‑themed lures. The campaign underscores how quickly leaked iOS exploit chains can be weaponized against high‑value policy and government targets. Unlike earlier TA446 operations that relied on password‑protected ZIP attachments delivering […]

The post TA446 Uses DarkSword Exploit Kit to Target iPhone Users appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The post The Master and the Disciple: Inside Apple’s “Exceedingly Rare” Pact to Rebuild Siri with Google Gemini appeared first on Daily CyberSecurity.

Kaspersky found Coruna iOS exploits reuse updated code from the 2023 Operation Triangulation attacks, suggesting a possible link.

Kaspersky researchers discovered that the Coruna iOS exploit kit uses an updated version of the same kernel exploit seen in the 2023 Operation Triangulation campaign. While early evidence didn’t clearly link the two, the code similarities now suggest a possible connection between them, though shared vulnerabilities alone don’t definitively prove the same actors are behind both attacks.

In early March, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1. The kit includes five full exploit chains and a total of 23 exploits.

While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.

GTIG tracked the use of the exploit in highly targeted attacks by a surveillance vendor’s customer, in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits. Multiple threat actors now reuse and adapt these advanced techniques for new vulnerabilities.

Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.

Analysis shows the Coruna exploit kit uses several patched vulnerabilities, including CVE-2023-32434 and CVE-2023-38606, two flaws first seen as zero-days in the Operation Triangulation iOS campaign. While details of these bugs are now public, Kaspersky found Coruna’s kernel exploit is an updated version of the one used in that earlier attack.

Researchers were able to collect and analyze Coruna components, confirming strong code similarities. The kit also includes four additional kernel exploits, some developed after Triangulation, all built on the same framework.

These findings suggest Coruna is not a mix of reused parts but a more advanced evolution of the same exploitation framework behind Operation Triangulation.

“These findings led us to conclude that this exploit kit was not patchworked but rather designed with a unified approach.” reads the report published by Kaspersky. “We assume that it’s an updated version of the same exploitation framework that was used — at least to some extent — in Operation Triangulation.”

The Coruna exploit chain starts with a Safari-based stager that identifies the target device and selects suitable exploits based on browser version. It includes a link and key to download encrypted components.

The payload then decrypts and processes multiple layers of data using ChaCha20 and LZMA compression, revealing structured containers that store files and instructions. These define which exploits, loaders, and malware components to fetch, depending on device type, CPU, and iOS version.

Coruna supports multiple package types, including kernel exploits, loaders, and implants, tailored for different architectures and firmware versions. Once all components are retrieved, the payload executes kernel exploits, loads malware, and launches the attack, adapting dynamically to the target environment for maximum effectiveness.

Researchers analyzed five kernel exploits in Coruna and found one is an updated version of the exploit used in Operation Triangulation. The newer code improves compatibility by checking more XNU version details, supporting newer iOS versions (up to 17.2), and recognizing recent Apple chips like A17 and M3. Although the original vulnerabilities were patched earlier, these checks were added to support newer exploits built on the same shared framework.

“Why does the exploit need to check for iOS 17.2 and newer CPUs if the targeted vulnerabilities were fixed in iOS 16.5 beta 4? The answer can be found by examining other exploits: they are all based on the same source code.” continues the report. “The only difference is in the vulnerabilities they exploit, so these checks were added to support the newer exploits and appeared in the older version after recompilation.”

The launcher handles post-exploitation tasks. Instead of re-running the exploit, it reuses existing kernel access created earlier to read and write memory. It removes traces of the attack, selects a target process, injects a stager, and executes it to deploy the final malware. This streamlined approach makes the attack more efficient and stealthy once initial access is gained.

“Originally developed for cyber-espionage purposes, this framework is now being used by cybercriminals of a broader kind, placing millions of users with unpatched devices at risk.” concludes the report. “Given its modular design and ease of reuse, we expect that other threat actors will begin incorporating it into their attacks. We strongly recommend that users install the latest security updates as soon as possible, if they have not already done so.”

In mid-March, Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including surveillance vendors and likely nation-state actors. The toolkit enables full-chain attacks to steal sensitive data from Apple devices and has been observed in campaigns targeting countries such as Saudi Arabia, Turkey, Malaysia, and Ukraine.

DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group UNC6353 against Ukrainian targets. It allows attackers to steal sensitive data, including credentials and crypto wallet information, then quickly exfiltrates it in a “hit-and-run” approach before cleaning traces.

The exploits appear to be linked to Coruna exploits, DarkSword enables near full device access with minimal user interaction, showing how advanced exploits are now available on a secondary market to a wider range of threat actors.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Coruna)

Apple’s latest iOS update adds some new features and fixes several bugs — but it also introduces mandatory age verification for users in the United Kingdom.

The post Millions of UK iPhone Users Will Need to Verify Their Age — Here’s Why appeared first on TechRepublic.

Security researchers have confirmed that the sophisticated iOS exploit chain known as DarkSword is now accessible outside of its original threat actor groups. Recently, security researcher @matteyeux successfully achieved kernel read/write access on an iPad mini 6th generation running iOS 18.6.2 using the in-the-wild DarkSword exploit. This development demonstrates that the exploit kit is highly […]

The post DarkSword Exploit Chain Leaked Online, Posing Risk to Millions of iPhones appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Apple warns that outdated iPhones are vulnerable to Coruna and DarkSword exploit kits and urges users to update iOS.

Apple has warned that iPhones running outdated iOS versions are at risk from exploit kits like Coruna and DarkSword. These attacks use malicious web content to trigger infection chains that can steal sensitive data. Users are strongly advised to update their devices to stay protected.

“Security researchers recently identified web-based attacks that target out-of-date versions of iOS through malicious web content. For example, if you’re using an older version of iOS and were to click a malicious link or visit a compromised website, the data on your iPhone might be at risk of being stolen.” reads Apple’s advisory. “We thoroughly investigated these issues as they were found and released software updates as quickly as possible for the most recent operating system versions to address vulnerabilities and disrupt such attacks.”

Keeping the iPhone updated is the most effective way to stay protected from threats like Coruna and DarkSword. Devices running the latest iOS versions are not vulnerable, and Lockdown Mode also blocks these attacks, even on older systems, though updates are still strongly recommended.

If your iPhone runs an older iOS version, take action:

• Devices on iOS 15 to iOS 26 are already protected if fully updated
• Apple released updates on March 11, 2026, to extend protection to iOS 15 and 16 devices
• Devices on iOS 13 or 14 must upgrade to iOS 15 and install a Critical Security Update
• Safari’s Safe Browsing feature helps block known malicious domains by default

Updating ensures user data remains secure.

In February, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1. The kit includes five full exploit chains and a total of 23 exploits.

While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.

GTIG tracked the use of the exploit in highly targeted attacks by a surveillance vendor’s customer, in Ukrainian watering hole campaigns by UNC6353, and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits. Multiple threat actors now reuse and adapt these advanced techniques for new vulnerabilities.

GTIG shared the findings to raise awareness and protect users, adding identified domains to Safe Browsing.

Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.

“In February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company.” reads the report published by GTIG. “The exploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript obfuscation techniques.”

“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.”  

The framework uses fingerprinting to detect device type and iOS version, then loads the appropriate WebKit RCE exploit and pointer authentication bypass. One recovered exploit, CVE-2024-23222, was later patched in iOS 17.3.

Government-backed attackers used the same framework in Ukrainian watering hole attacks, delivering multiple RCE exploits to select iPhone users. Later, Chinese scam websites deployed the full Coruna kit, dropping the same exploits via hidden iFrames on fake financial and crypto sites. GTIG collected hundreds of samples covering all five exploit chains and observed debug versions exposing internal exploit names, confirming the kit’s internal name as Coruna.

The Coruna exploit kit relies on a highly engineered framework that links all components through shared utilities and custom loaders. It avoids devices in Lockdown Mode or private browsing, derives resource URLs from a hard-coded cookie, and delivers WebKit RCE and PAC bypasses in clear form. After exploitation, a binary loader deploys encrypted, compressed payloads disguised as .min.js files, tailored to specific chips and iOS versions. In total, the kit includes 23 exploits covering iOS 13 through 17.2.1, with advanced mitigation bypasses and reusable modules for defeating memory and kernel protections.

At the end of the chain, a stager called PlasmaLoader injects into a root daemon and deploys a financially focused payload.

The malware scans for crypto wallets, backup phrases, and banking data, exfiltrating sensitive information and loading additional modules from command-and-control servers. It targets numerous cryptocurrency apps, uses encrypted communications, and falls back on a custom domain generation algorithm seeded with “lazarus” to maintain persistence.

Google published Indicators of Compromise (IOCs) and Yara rules for this exploit.

Recently, Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including surveillance vendors and likely nation-state actors. The toolkit enables full-chain attacks to steal sensitive data from Apple devices and has been observed in campaigns targeting countries such as Saudi Arabia, Turkey, Malaysia, and Ukraine.

The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise:

• CVE-2025-31277 – JavaScriptCore memory corruption (CVSS: 8.8)
• CVE-2026-20700 – dyld PAC bypass (CVSS: 8.6) (zero-day)
• CVE-2025-43529 – JavaScriptCore memory corruption (CVSS: 8.8) (zero-day)
• CVE-2025-14174 – ANGLE memory corruption (CVSS: 8.8) (zero-day)
• CVE-2025-43510 – iOS kernel memory issue (CVSS: 8.6)
• CVE-2025-43520 – iOS kernel memory corruption (CVSS: 8.6)

Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.

DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group UNC6353 against Ukrainian targets. It allows attackers to steal sensitive data, including credentials and crypto wallet information, then quickly exfiltrates it in a “hit-and-run” approach before cleaning traces.

The exploits appear to be linked to Coruna exploits, DarkSword enables near full device access with minimal user interaction, showing how advanced exploits are now available on a secondary market to a wider range of threat actors.

“DarkSword aims to extract an extensive set of personal information including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor.” reads the report published by Lookout. “Notably, DarkSword appears to take a “hit-and-run” approach by collecting and exfiltrating the targeted data from the device within seconds or at most minutes followed by cleanup.”

Researchers investigating Coruna uncovered related infrastructure linked to Russian actor UNC6353, including a similar domain used in attacks on compromised Ukrainian sites, even government ones. Malicious iframes loaded scripts to fingerprint devices and target specific iOS versions. Further analysis revealed a new exploit chain, later named DarkSword, discovered in late 2025 through joint research by Lookout, iVerify, and Google, confirming a distinct and evolving threat.

While it initially appeared that this may be another site distributing Coruna, upon closer inspection of the our researchers found that the iframe loads a javascript file called rce_loader.js, which is largely responsible for fingerprinting devices visiting the compromised site in order to determine whether to route the devices to the iOS exploit chain. However, the script was looking for iOS devices with OS versions 18.4 or 18.6.2, which are iOS versions that are not susceptible to the exploit chains used in Coruna.

Recognizing that this was a new threat, our researchers analyzed the code and began capturing all of the stages of the exploits. 

According to Lookout, the actor behind the exploit, UNC6353, remains a largely unknown group but has used advanced iOS exploit chains in watering hole attacks on Ukrainian websites. Likely well-funded, it appears to rely on third-party or brokered exploits, possibly linked to Russian ecosystems. The group targets both intelligence and financial data, including crypto assets, suggesting dual motives.

Its infrastructure is limited but shows deep access to compromised sites. Poor obfuscation and signs of AI-assisted code suggest limited in-house expertise. Overall, UNC6353 is assessed as a capable yet not highly sophisticated actor, potentially a Russia-aligned proxy blending espionage with cybercrime.

Google GTIG experts found multiple actors using DarkSword since November 2025, and believes other surveillance vendors or threat groups are likely using the exploit chain as well.

“The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation.” concludes GTIG.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, exploit kits)