Coruna and DarkSword: When Nation-State Spyware Goes Criminal

Updated April 2026 to incorporate the DarkSword exploit chain

Something significant happened in early 2026. Two iOS exploit kits – Coruna and DarkSword – confirmed what security researchers had long feared: the most sophisticated mobile hacking tools in the world, once the exclusive domain of intelligence agencies and government-approved surveillance vendors, are now in the hands of cybercriminals.

This is not a theoretical risk. These tools have already been used to drain cryptocurrency wallets, steal banking credentials, and compromise the iPhones of ordinary people who simply visited the wrong website. The threat model for mobile security has changed permanently.

Coruna: From Spy Tool to Criminal Weapon in Under a Year

Coruna is an iOS exploit kit of extraordinary sophistication. When Google’s Threat Intelligence Group (GTIG) published their analysis in March 2026, they described a framework containing five complete exploit chains and 23 individual vulnerabilities, covering every iPhone model running iOS 13.0 through iOS 17.2.1 — a range spanning four years of devices. The code is extensively documented in native English, professionally engineered, and incorporates exploitation techniques and mitigation bypasses not previously seen in public research. Researchers estimate that developing something of this scope would cost in the region of $30–40 million. This is not malware written by a criminal gang. It has all the hallmarks of a well-resourced state or state-adjacent programme.

What makes Coruna alarming is not its technical capability alone – it is the speed at which that capability proliferated.

GTIG first detected elements of Coruna in February 2025, in the hands of a commercial surveillance vendor’s customer. By summer 2025 the same JavaScript framework had been embedded as a hidden iFrame on compromised Ukrainian websites, silently delivering exploits to any iPhone user who visited those pages – a watering hole attack attributed to UNC6353, a suspected Russian espionage group. And by the end of 2025 the complete Coruna kit had appeared on hundreds of fake Chinese cryptocurrency exchange websites, used by a financially motivated criminal group (tracked as UNC6691) to steal credentials and drain crypto wallets.

In less than twelve months, a tool built for targeted intelligence collection had become a mass-market criminal weapon.

How Coruna Works

Coruna operates as a watering hole attack. The victim does not need to receive a malicious message or click a suspicious link – they simply need to visit a compromised or fraudulent website on an unpatched iPhone. The exploit kit fingerprints the device, determines its exact model and iOS version, and silently loads the appropriate exploit chain. If it detects that the device is in Lockdown Mode or private browsing, it stops – one of the few effective mitigations available.

After achieving remote code execution in the browser, the kit escalates privileges to the kernel using a chain of additional exploits, then loads an implant called PLASMAGRID. This injects itself into powerd – a system daemon running as root – and downloads modular payloads targeting 18 different cryptocurrency wallet applications including MetaMask, Phantom, Exodus, and Uniswap. It also scans Apple Notes and device images for BIP39 seed phrases and banking keywords, and exfiltrates anything it finds to attacker-controlled servers.

Two of Coruna’s exploit chains reuse vulnerabilities first documented in Operation Triangulation, the sophisticated 2023 iOS espionage campaign. This does not necessarily indicate shared authorship, but it does illustrate how quickly publicly disclosed nation-state techniques migrate into the broader criminal ecosystem.

Who Is at Risk From Coruna?

Coruna is not effective against current versions of iOS. Any iPhone running iOS 17.3 or later is not vulnerable to the known Coruna exploit chains. However, the risk to unpatched devices is real and immediate: researchers estimate tens of thousands of devices may already have been compromised in the criminal campaign alone. If your organisation has any iPhones running iOS 17.2.1 or earlier, those devices should be updated or taken out of service without delay.

DarkSword: A New Chain, More Actors, Greater Reach

Two weeks after the Coruna disclosure, GTIG published a second report – this time on a separate iOS exploit kit called DarkSword, active since at least November 2025 and targeting devices running iOS 18.4 through 18.7.

Where Coruna is a compiled, multi-architecture framework, DarkSword is implemented entirely in JavaScript. This is significant: it means there is no native binary to detect or sandbox, and it makes the chain trivially easy to host, adapt, and reuse. Any threat actor capable of running a web server can deploy it. Within weeks of the kit’s existence becoming known, the exploit code was published to GitHub – at which point it became available to anyone.

DarkSword uses six vulnerabilities across its chain: two JavaScriptCore memory corruption bugs (CVE-2025-31277 and CVE-2025-43529), a zero-day PAC bypass in dyld (CVE-2026-20700, patched only in iOS 26.3), and additional exploits for sandbox escape and kernel privilege escalation. All six have now been patched, but only in iOS 18.7.2, 18.7.3, and 26.1–26.3 respectively. Devices below these versions remain exposed.

Three Actors, One Exploit Kit

GTIG identified DarkSword being used independently by at least three different actors within the space of a few months – a pattern that mirrors Coruna’s proliferation and confirms that a functioning secondary market for advanced iOS exploits now exists.

UNC6748 used a Snapchat-themed phishing site to target iPhone users in Saudi Arabia, deploying a backdoor called GHOSTKNIFE capable of exfiltrating messages, location history, browser data, signed-in accounts, screenshots, and audio recordings.

PARS Defense, a Turkish commercial surveillance vendor, used DarkSword against targets in Turkey and Malaysia, deploying a different backdoor called GHOSTSABER. GHOSTSABER supports arbitrary SQL queries against device databases, recursive file listing and exfiltration, and the ability to execute arbitrary JavaScript code remotely – effectively giving an operator complete programmatic access to the device.

UNC6353 – the same suspected Russian espionage group that used Coruna in Ukrainian watering hole attacks – subsequently incorporated DarkSword into fresh campaigns against compromised Ukrainian websites, this time deploying a dataminer called GHOSTBLADE. GHOSTBLADE harvests iMessage databases, WhatsApp and Telegram data, photos metadata, location history, Safari browsing history and cookies, cryptocurrency wallet data, device keychains, health data, and the full list of installed applications – essentially a complete picture of a person’s digital life.

Who Is at Risk From DarkSword?

Any iPhone running iOS 18.7.1 or earlier, or iOS 26.0 through 26.2, is potentially vulnerable. Given that DarkSword exploit code is now publicly available on GitHub, the risk of further proliferation – including to actors with limited technical capability – is high. Updating to iOS 18.7.3 or iOS 26.3 is the single most important action any organisation can take right now.

The Pattern: A Secondary Market for Nation-State Exploits

Coruna and DarkSword are not isolated incidents. They are evidence of a structural shift in the threat landscape.

Researchers believe Coruna was likely developed by or for a US government contractor – possibly related to L3Harris – before being sold to zero-day brokers and eventually finding its way to Russian state operators and then Chinese criminal groups. DarkSword is believed to have originated in the Gulf region, possibly from a firm that subsequently ceased operations and liquidated its assets onto the secondary market.

In both cases, the pathway is the same: a government-grade tool, developed at enormous cost, leaks into a secondary market where it is acquired by nation-state actors, then by commercial surveillance vendors, and ultimately by financially motivated criminals. The timeline from first use to criminal deployment is now measured in months, not years.

This mirrors what happened with EternalBlue – the NSA-developed exploit that leaked in 2017 and went on to power WannaCry and NotPetya, causing billions of dollars in damage. The difference is that EternalBlue targeted Windows servers. Coruna and DarkSword target the iPhone in your employee’s pocket.

What This Means for Your Organisation

For most organisations, commercial spyware has historically felt like someone else’s problem – a risk for activists, diplomats, and senior politicians, not for businesses. Coruna and DarkSword make that assumption untenable.

The criminal campaigns associated with both kits are financially motivated and indiscriminate. The fake cryptocurrency sites delivering Coruna were not targeted at specific individuals – they were mass-exploitation infrastructure. Any employee with an unpatched iPhone who visited one of those sites was a potential victim. Their device credentials, corporate email access, authentication tokens, and anything else stored on the phone were all in scope.

The implications for enterprise mobile security are significant:

Patch compliance is now a critical security control, not a hygiene task. The window between a patch being issued and an exploit kit being updated to target unpatched devices is shrinking. In the DarkSword case, vulnerability patches and active exploitation were occurring within the same release cycle.

MDM alone provides no protection against this class of attack. Coruna and DarkSword both operate at a layer beneath mobile device management. A successfully compromised device can lie about its own state. Application lists, compliance policies, and certificate checks are all irrelevant once an attacker has kernel-level access.

Network traffic monitoring is the most reliable detection mechanism available. Every implant – PLASMAGRID, GHOSTKNIFE, GHOSTSABER, GHOSTBLADE – must communicate with a command-and-control server to exfiltrate data. That traffic traverses the network and is detectable. Anomalous connections to raw IP addresses, unexpected data volumes from system processes, and traffic to newly registered or low-reputation domains are all signals that network-layer monitoring can surface.

Immediate Actions

1. Update all iPhones to iOS 18.7.3 or iOS 26.3 immediately. Any device below these versions is potentially vulnerable to DarkSword. Any device below iOS 17.3 is also vulnerable to Coruna.
2. Audit your patch compliance posture for mobile. If you do not have visibility into the iOS versions running across your device fleet, establishing that visibility is the first step.
3. Deploy network-level monitoring for mobile devices. If an exploit does succeed, network traffic anomalies are your most reliable signal.
4. Review your incident response procedures for mobile compromise. A suspected iOS exploitation incident has different evidence preservation requirements than a laptop compromise. Make sure your team knows what to do.

Corrata detects spyware-related command-and-control traffic at the network layer, continuously monitoring mobile devices for the anomalous communications patterns that active implants must generate. Learn more about Corrata’s spyware detection capabilities.