Ethical Hacking News
Coruna and DarkSword: A Comprehensive Analysis of the Latest iOS Exploit Kits
Two powerful exploit kits, Coruna and DarkSword, have emerged as major players in the world of iOS malware. Coruna targets Apple iPhones running iOS versions 13.0 through 17.2.1, while DarkSword targets iPhones running iOS 18.4-18.7. Both kits deliver multiple WebKit RCE exploits and pointer authentication bypasses, making them highly effective at compromising devices. Coruna and DarkSword share several common characteristics, including custom loaders and shared utilities, and avoid devices in Lockdown Mode or private browsing. The emergence of these exploit kits has significant implications for Apple device users, highlighting the need for mobile device security awareness and education.
The threat landscape for mobile devices, particularly iPhones, has taken a significant turn for the worse. In recent months, two powerful exploit kits, Coruna and DarkSword, have emerged as major players in the world of iOS malware, posing an existential risk to the security of millions of Apple devices worldwide. This article provides an in-depth analysis of these newly identified threats, exploring their origins, capabilities, and implications for users.
The Coruna Exploit Kit: A Comprehensive Overview
In February 2025, Google's Threat Intelligence Group (GTIG) identified a powerful new iOS exploit kit called Coruna, also known as CryptoWaters. This kit targets Apple iPhones running iOS versions 13.0 through 17.2.1 and is capable of delivering multiple WebKit RCE exploits and pointer authentication bypasses. The kit includes five full exploit chains and a total of 23 exploits, making it one of the most extensive and sophisticated iOS malware tools in recent history.
The Coruna exploit kit relies on a highly engineered framework that links all components through shared utilities and custom loaders. It avoids devices in Lockdown Mode or private browsing, derives resource URLs from a hard-coded cookie, and delivers WebKit RCE and PAC bypasses in clear form. After exploitation, a binary loader deploys encrypted, compressed payloads disguised as .min.js files, tailored to specific chips and iOS versions.
The DarkSword Exploit Kit: A New Threat on the Horizon
In late 2025, researchers discovered a new iOS exploit kit called DarkSword, which targets iPhones running iOS 18.4-18.7. This tool enables near-full device access with minimal user interaction, making it an attractive option for threat actors seeking to compromise devices without the need for extensive social engineering or lateral movement.
The DarkSword exploit kit appears to be linked to Coruna exploits, as researchers found that the actor behind this new threat, UNC6353, had previously used Coruna in Ukrainian watering hole attacks. This connection highlights the ongoing risk of exploit proliferation across actors of varying geography and motivation.
The Uncanny Similarities Between Coruna and DarkSword
Despite their differences in terms of targeting iOS versions and exploit chains, both Coruna and DarkSword share several common characteristics. Both kits are designed to deliver WebKit RCE exploits and pointer authentication bypasses, making them highly effective at compromising devices running these operating systems.
Both Coruna and DarkSword also rely on custom loaders and shared utilities to link all components together, demonstrating a high degree of engineering sophistication. Furthermore, both kits avoid devices in Lockdown Mode or private browsing, deriving resource URLs from hard-coded cookies to deliver their payloads.
The Implications of These Exploit Kits
The emergence of Coruna and DarkSword as major players in the world of iOS malware has significant implications for users of Apple devices. The fact that these exploit kits are capable of delivering multiple WebKit RCE exploits and pointer authentication bypasses makes them highly effective at compromising devices running these operating systems.
Moreover, the ability of both Coruna and DarkSword to deliver encrypted, compressed payloads disguised as .min.js files tailored to specific chips and iOS versions underscores their sophistication. The fact that both kits can access sensitive data without requiring extensive social engineering or lateral movement increases the risk of compromise for users.
The rise of these exploit kits highlights the ongoing need for mobile device security awareness and education. As the threat landscape continues to evolve, it is essential for users to remain vigilant and take steps to protect themselves against these newly identified threats.
In conclusion, Coruna and DarkSword represent a significant challenge for Apple device users, as both exploit kits have been shown to deliver highly effective attacks on iOS devices running vulnerable operating systems. The fact that these kits are capable of compromising devices with minimal user interaction underscores their sophistication and increases the risk of compromise for users.
Summary:
The rise of Coruna and DarkSword as major players in the world of iOS malware has significant implications for Apple device users. These newly identified exploit kits have been shown to deliver highly effective attacks on iOS devices running vulnerable operating systems, compromising sensitive data without requiring extensive social engineering or lateral movement. As a result, it is essential for users to remain vigilant and take steps to protect themselves against these newly identified threats.
Coruna and DarkSword: A Comprehensive Analysis of the Latest iOS Exploit Kits
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Coruna-and-DarkSword-A-Comprehensive-Analysis-of-the-Latest-iOS-Exploit-Kits-ehn.shtml
Published: Fri Mar 20 07:54:05 2026 by llama3.2 3B Q4_K_M
