Challenging the Myth of iOS Security: What DarkSword Means for iPhone Users
- Brent Arnold and Michelle Niazi
- Mar 20
- 3 min read
The idea that iPhones don't get hacked has always been more myth than fact. This month, two exploit kits called DarkSword and Coruna proved it. With hundreds of millions of potentially vulnerable devices and attacks requiring no user interaction whatsoever, the numbers speak for themselves.
What Happened
In mid‑March 2026, researchers at Google’s Threat Intelligence Group, iVerify, and other security partners publicly detailed DarkSword, a powerful iOS exploit kit spreading through compromised websites in Ukraine and beyond. This malware doesn’t require clicking a link or downloading an app. Visiting the wrong website is enough. Once installed, it can extract messages, contacts, location data, account credentials, and even cryptocurrency wallet information, depending on the specific exploit chain and payload used. The entire operation can happen in seconds before the malware quietly removes itself.
DarkSword follows Coruna, which was disclosed on March 3. Coruna exploited 23 vulnerabilities across iOS versions 13.0 through 17.2.1 and is believed to be connected to the same Russian state-sponsored group behind DarkSword.¹ Both exploit kits share infrastructure, highlighting how advanced iOS attacks are becoming more widespread. With a very large share of the global iPhone install base potentially vulnerable.
What This Means
For much of the last decade, many of the most sophisticated iOS exploits were associated with intelligence agencies and high‑end surveillance tools like NSO Group's Pegasus.² That is no longer the case. Criminal groups and financially motivated actors are now working with advanced exploit chains originally developed for government-grade operations, and a secondary ecosystem around these tools is emerging, echoing aspects of ‘ransomware‑as‑a‑service’ models in the Windows world.³
DarkSword’s operators were notably careless, leaving significant portions of their infrastructure and code poorly obfuscated and easy for researchers to study. This suggests they expect a steady supply of new exploits and do not need to hide. The old idea that iPhones are categorically secure is outdated. Today, they are firmly part of the mainstream cybercrime landscape.
What You Can Do
Updating your iPhone immediately is the most important step. Patches for the vulnerabilities exploited by DarkSword and Coruna are included in the latest iOS 26 releases, with emergency updates backported to older supported versions.
Enabling Lockdown Mode is another strong measure for anyone handling sensitive data. Coruna will bail out when it detects Lockdown Mode, making it a meaningful safeguard for professionals in law, finance, journalism, and government.⁴
Being cautious about which websites you visit also matters. Both exploit kits rely on compromised sites to spread, so vigilance is still important.
Why Organizations Should Care
For organizations, these threats go beyond IT. Exposed devices could trigger breach-notification obligations under PIPEDA, GDPR, or applicable US state laws, depending on what data is accessed and the risk of harm to affected individuals. Engaging legal counsel early can help assess exposure, advise on a defensible response, establish attorney-client privilege for investigations, and guide updates to mobile device policies, vendor contracts, and security baselines.
The Bottom Line
Apple’s security architecture remains strong, but only devices that are kept up to date are protected. For individuals, the message is clear: update your iPhone now. For organizations, governance and legal strategies need to reflect this new reality. In today’s landscape, informed counsel is not optional, it is essential.
The era of iPhones being untouchable is over. Staying updated, cautious, and legally prepared is the new baseline for security.
¹ Google Threat Intelligence Group. "Coruna iOS Exploit Kit Uses 23 Exploits Across Five Exploit Chains." The Hacker News, 3 Mar. 2026.
² Citizen Lab. "NSO Group iMessage Zero-Click Exploit Captured in the Wild." The Citizen Lab, 8 Dec. 2025.
³ iVerify. “iVerify Details First Known Mass iOS Attack.” iVerify, 3 Mar. 2026, iverify.io/press-releases/first-known-mass-ios-attack. Accessed 19 Mar. 2026
⁴ “SecurityAffairs, ‘Apple Issues Emergency Fixes for Coruna Flaws in Older iOS Versions,’ 11 March 2026.”