Inside Coruna & DarkSword: How Elite iPhone Exploit Kits Went Commercial

For most of 2025, an iOS exploit kit of unusual sophistication moved quietly through the global threat landscape — shifting hands from a commercial surveillance vendor to a suspected Russian intelligence group, and then to a financially motivated criminal operation targeting cryptocurrency users. Google’s Threat Intelligence Group (GTIG) has now publicly documented the entire trail, offering a rare and unsettling window into how elite mobile attack capabilities filter down from intelligence agencies to common cybercriminals.

The kit, named Coruna after an internal code name accidentally exposed in a debug deployment, contains 23 distinct exploits spanning five complete attack chains. It targets iPhones running iOS 13.0 through iOS 17.2.1 — a range covering devices released from September 2019 through December 2023. GTIG describes it as among the most technically accomplished iOS toolkits ever recovered, featuring extensive English-language documentation and exploitation techniques not previously seen in public research.

Just weeks after GTIG published its findings on Coruna, the group — alongside mobile security firms Lookout and iVerify — disclosed a second, separate iOS exploit kit named DarkSword. That kit targets newer devices running iOS 18.4 through 18.7, uses six vulnerabilities including three zero-days, and has already been deployed by multiple distinct threat actors across Saudi Arabia, Turkey, Malaysia, and Ukraine. The back-to-back disclosures represent the most significant public exposure of iOS exploitation infrastructure in recent memory.

The Coruna Exploit Kit

How the attack works

Coruna is a browser-based attack requiring no interaction beyond a page load. When an iPhone user visits a compromised or malicious website, a hidden iFrame silently injects a JavaScript framework that first fingerprints the device — collecting model and iOS version information. Based on those results, the framework selects and delivers the appropriate WebKit Remote Code Execution (RCE) exploit from its arsenal.

One of the kit’s core vulnerabilities is CVE-2024-23222, a WebKit flaw that Apple patched in iOS 17.3 in January 2024 — but which remained potent against the large installed base of unpatched devices. The exploit chain then proceeds through a Pointer Authentication Code (PAC) bypass, a sandbox escape, and kernel-level privilege escalation, ultimately deploying a loader binary called PlasmaLoader (tracked by GTIG as PLASMAGRID). PlasmaLoader injects itself into powerd, a system daemon that runs as root, granting the attacker deep, persistent system access.

“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.”

— Google Threat Intelligence Group (GTIG)

The kit is also operationally disciplined: it terminates execution if it detects the device is in Lockdown Mode or if the user is browsing in a private tab — a design choice suggesting it was engineered to minimize forensic footprint.

The proliferation trail: from spy tool to scam kit

What makes Coruna historically significant is not just its technical capability, but the documented path it traveled across three distinct categories of threat actor over the course of a single year.

GTIG assessed that this progression “suggests an active market for ‘second hand’ zero-day exploits,” where advanced techniques are resold and redeployed by actors with varying levels of sophistication and motivation. The transition from espionage to mass financial fraud within a single calendar year is, researchers noted, a new milestone in the commoditization of mobile attack capabilities.

DarkSword: The Sequel

Just weeks after GTIG published its Coruna findings, coordinated research from GTIG, Lookout, and iVerify disclosed a second, distinct iOS full-chain exploit kit. Its name — DarkSword — was found verbatim in the malware’s own source code: const TAG = "DarkSword-WIFI-DUMP". The discovery of two major iOS exploit kits within a single month stunned the mobile security community.

DarkSword targets newer devices: iPhones running iOS 18.4 through 18.7. It chains six vulnerabilities — three of which were exploited as zero-days before Apple issued patches — to achieve full device compromise. GTIG has tracked its use since at least November 2025, across multiple distinct threat actors operating independently.

The actors tracked using DarkSword include UNC6748, which targeted Saudi Arabian users via a fake Snapchat-themed website; PARS Defense, believed to be an Iranian commercial surveillance vendor; and UNC6353 — the same suspected Russian espionage group previously linked to Coruna campaigns against Ukrainian targets. This overlap between Coruna and DarkSword users led Lookout to suggest UNC6353 may function as a “privateer” group — a criminal proxy operating with state backing, blending espionage and financial crime.

All six DarkSword vulnerabilities have now been patched in iOS 26.3, though the gap between the first known deployment in November 2025 and the final patch represented approximately four months of exposure for unpatched devices.

What These Attacks Steal

The financially motivated deployments of both Coruna and DarkSword share a common target profile: cryptocurrency assets. Once PlasmaLoader (Coruna’s final-stage payload) achieves root-level access, it hooks functions within at least 18 cryptocurrency wallet applications — including MetaMask, BitKeep, and Phantom — to exfiltrate private keys, seed phrases, wallet caches, and screenshots.

Researchers noted that the payload’s design reflects a deliberate shift in attacker strategy: rather than relying on traditional keylogging or network interception, the malware performs direct semantic scanning of device storage, searching for keywords associated with wallet recovery credentials. Even a screenshot saved to the camera roll containing a seed phrase would be identified and transmitted.

DarkSword deploys three distinct malware families upon successful compromise: GHOSTBLADE, GHOSTKNIFE (a JavaScript backdoor capable of broad data theft), and GHOSTSABER — each tailored to different operational objectives across the different threat actors using the kit.

The Bigger Picture

iVerify summarized the industry implications bluntly: “For the second time in a month, threat actors have employed waterhole attacks to target iPhone users. Neither of these attacks was individually targeted. The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2.”

GTIG’s broader 2025 zero-day review found that 90 zero-day vulnerabilities were exploited across the year — up from 78 in 2024 — and that mobile exploitation counts rebounded to 15, after a dip to 9 in 2024. The structural picture that emerges from both reports is one of a maturing and increasingly accessible market for elite mobile exploits, where capabilities originally developed for intelligence-grade surveillance operations are cycling into criminal hands within months, not years.

“The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation.”

— Google Threat Intelligence Group (GTIG)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three Coruna-abused CVEs to its Known Exploited Vulnerabilities catalog on March 5, 2026, directing federal agencies to apply fixes. Google has added delivery domains for both kits to Safe Browsing.

What Users Should Do

Sources: Google Threat Intelligence Group, “Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit” (Google Cloud Blog, March 2026); Google Threat Intelligence Group, “The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors” (Google Cloud Blog, March 2026); The Hacker News; Lookout; iVerify; CISA Known Exploited Vulnerabilities Catalog. All CVE details sourced from official GTIG disclosures.