From Pegasus to DarkSword – The alarming history of iOS Spyware

Last updated: April 2026

Something changed in 2026. The kind of iOS spyware that was once the exclusive preserve of intelligence agencies and their approved commercial vendors – tools costing millions of dollars and deployed against a carefully selected handful of dissidents, journalists, civil rights activists, and senior politicians – is now in the hands of cybercriminals.

The emergence of two exploit kits, Coruna and DarkSword, marks a turning point. For the first time, we have clear evidence of nation-state-grade iOS exploitation being used to drain cryptocurrency wallets, steal banking credentials, and conduct broad-based financial fraud. The threat model has fundamentally changed: where previously an ordinary business user had little reason to fear Pegasus-style spyware, today any unpatched iPhone visiting the wrong website is a potential target.

This post traces how we got here – from the first discovery of Pegasus in 2016, through a decade of escalating sophistication, to the moment that sophisticated iOS exploitation went criminal – and explains what your organisation needs to do about it now.

The Beginning: Pegasus and the First Pegasus Attacks (2016)

The story of iOS commercial spyware begins in 2016, when Ahmed Mansour, a UAE human rights activist, received suspicious text messages promising “new secrets” about detainees tortured in UAE jails. Instead of clicking the links, he forwarded them to Citizen Lab. Researchers used a jailbroken iPhone to visit the URLs and discovered a weaponised exploit chain delivering a sophisticated implant – the first publicly documented case of a commercial company selling advanced iOS malware.

The malware was Pegasus, developed by Israeli firm NSO Group. That first version used a WebKit vulnerability as its entry point and required the target to click a link – what the industry calls a “one-click” attack. Once on the device it installed an implant called BridgeHead (BH), dropped persistence files to disk, and exfiltrated data. Because NSO made no attempt at cleanup, Citizen Lab and Lookout Security were able to identify the implant process name, the infrastructure URLs, and the persistence mechanism with relative ease.

The public disclosure was a turning point. NSO Group understood they had been caught – and immediately set about making Pegasus harder to detect.

Going Zero-Click: WhatsApp and iMessage (2019–2021)

By 2019 NSO had shifted to zero-click attack surfaces, meaning the target’s phone could be compromised without the victim doing anything at all. A joint investigation by WhatsApp and Citizen Lab revealed that NSO was exploiting a vulnerability in WhatsApp calls – simply receiving a call was enough to trigger infection. Missed calls appeared in the victim’s call log, which became one of the primary forensic indicators for this campaign.

In 2021 the Pegasus Project – a collaboration involving Amnesty International, Citizen Lab, and media partners – analysed a leaked list of roughly 50,000 phone numbers believed to be potential Pegasus targets. Forensic analysis of around 100 devices found 80 confirmed infections. Targets included President Emmanuel Macron of France, senior politicians in Spain and other countries, journalists, lawyers, and human rights activists across dozens of nations. By this point Pegasus had clearly moved far beyond its original stated purpose of targeting criminals and terrorists.

The technical highlight of this period was the “FORCEDENTRY” exploit, which attacked iMessage’s image rendering pipeline by building a virtual machine inside a PDF parser to achieve code execution and sandbox escape without any user interaction. Google Project Zero published a detailed analysis describing it as one of the most technically sophisticated exploits ever seen in the wild.

Forensically, Pegasus was becoming more careful. Process names were now chosen to mimic legitimate iOS processes, though with subtle one-letter variations that a trained analyst could spot. The implant also began delaying device shutdowns – a behaviour that left traces in a file called shutdown.log – and started attempting to clean up iMessage attachment directories after infection. Crucially, it cleaned only one of two relevant database tables, leaving a distinctive discrepancy that became a reliable detection signal.

The Commercial Ecosystem Expands: Predator, Hermit, and iSoon (2019–2022)

NSO was not operating alone. Several other commercial and state-linked actors emerged during this period.

iSoon / Chinese State Actor (2019). Google’s Threat Analysis Group documented a campaign attributable to the Chinese contractor iSoon (not publicly named at the time) that hosted five different WebKit exploit chains – fourteen vulnerabilities in total – targeting devices from iOS 10 through iOS 14. Anyone who visited the infected web servers would have been compromised regardless of their identity. The malware transmitted stolen data completely unencrypted over the network, a remarkable operational security failure that allowed researchers to recover everything. This was the first publicly documented case of iOS exploits used in mass, indiscriminate attacks.

Predator / Intellexa (2021 onwards). Developed by the Intellexa consortium (previously trading under the name Cytrox), Predator typically used WebKit as its infection vector. Google TAG and Citizen Lab documented campaigns targeting Meta employees, politicians, and journalists. A Predator infection found in Greece led to a criminal conviction: one of the founders of the Intellexa group was sentenced to eight years in prison for his role in the affair. Forensically, Predator spoofed legitimate iOS process names (such as usereventsagent), stored a configuration file in /private/var/keybagd/, and notably used Apple Shortcuts as a persistence mechanism. Later versions moved toward network-injection delivery – using a privileged position on the mobile network to inject exploit code into unencrypted (or fraudulently-signed encrypted) web traffic, effectively turning any unencrypted web browsing into a zero-click attack surface.

Hermit (2022). The Hermit spyware, linked to Italian vendor RCS Lab, took a different approach: social engineering combined with a sideloaded application. Operators worked with mobile network carriers to temporarily cut off a target’s internet connection, then sent an SMS inviting the victim to download an app to restore service. Inside the app, Hermit used a combination of public and privately-held exploits to gain privileged access. Detection is comparatively straightforward – sideloaded apps leave provisioning profiles and appear in device application lists.

Operation Triangulation (2023)

Kaspersky discovered what it called Operation Triangulation, a sophisticated espionage campaign targeting iOS devices – including Kaspersky employees – via zero-click iMessage exploits. The technical sophistication was a step above anything previously documented: the attack used a three-stage chain, cleaned up iMessage attachment directories, flushed crash logs, and disguised activity under legitimate system process names such as BackupAgent. Attribution pointed toward a nation-state actor with substantially greater operational security discipline than commercial vendors.

A New Generation: Graphite and the Paragon Group (2025)

In early 2025 Citizen Lab published the first evidence of a new commercial spyware vendor – Paragon Solutions – whose tool is known as Graphite. The attack vector identified was WhatsApp. Forensic indicators were deliberately limited; Citizen Lab identified network-level artifacts it named “small pretzel” and “big pretzel” but withheld detailed IOCs to preserve detection capability. Graphite’s use of raw IP addresses rather than domain names for command-and-control communication was noted as an attempt to evade DNS-level monitoring tools deployed by mobile security vendors.

The Rules Change: Coruna and DarkSword (2025–2026)

Early 2026 has brought a fundamental shift in the iOS threat landscape. Two exploit kits – Coruna and DarkSword – have demonstrated that sophisticated iOS exploitation is no longer the exclusive preserve of nation-states and their approved commercial vendors. The tooling is now proliferating to organised crime.

Coruna

Google Threat Intelligence Group (GTIG) identified Coruna, an iOS exploit kit whose developers named it internally, in early 2025. The kit is extraordinary in scope: five complete exploit chains, 23 individual exploits, and coverage of every iPhone model running iOS 13.0 through iOS 17.2.1. The exploit code is extensively documented in native English with docstrings and comments, suggesting significant professional engineering investment.

Coruna’s history illustrates exactly how dangerous exploit proliferation has become. GTIG tracked it through three distinct phases:

• A commercial surveillance vendor used parts of the Coruna framework in targeted operations in early 2025.
• UNC6353, a suspected Russian espionage group, embedded the same JavaScript framework on compromised Ukrainian websites in summer 2025 as a watering hole attack, delivering exploits to any iPhone user visiting those pages.
• UNC6691, a financially motivated Chinese threat actor, deployed the complete Coruna kit across hundreds of fake cryptocurrency exchange websites, using it to steal credentials and drain crypto wallets.

The payload recovered from the Chinese campaign – GTIG tracks it as PLASMAGRID – injected itself into powerd (a root-level system daemon) and loaded modular plugins targeting 18 different cryptocurrency wallet applications, scanning memos and images for BIP39 seed phrases and banking credentials.

Technically, Coruna is impressively engineered: exploit payloads are encrypted with ChaCha20, served from URL paths derived by hashing a unique cookie, and packaged in a custom binary format. The kit checks for Lockdown Mode and bails out if it detects it. It also incorporates mitigation bypasses – including some exploitation techniques not previously seen in public research – and reuses modules from Operation Triangulation.

Coruna only works against iOS 17.2.1 and earlier. It is not effective against current iOS versions. Any device still running iOS 17.2.1 or earlier should be updated immediately.

DarkSword

Published by Google in March 2026, DarkSword is a separate full-chain exploit kit targeting iOS 18.4 through 18.7. Where Coruna is a compiled, multi-architecture framework, DarkSword is implemented entirely in JavaScript – making it trivially easy to adapt, host, and reuse.

GTIG observed DarkSword used by at least three distinct actors within months of its first appearance:

• UNC6748 targeted Saudi Arabian users via a Snapchat-themed phishing site (snapshare[.]chat), delivering a backdoor called GHOSTKNIFE capable of exfiltrating messages, location history, browser data, signed-in accounts, and audio recordings.
• PARS Defense, a Turkish commercial surveillance vendor, used DarkSword against targets in Turkey and Malaysia, deploying a different backdoor, GHOSTSABER, which supports arbitrary SQL queries against device databases, file exfiltration, and remote JavaScript execution.
• UNC6353 – the same suspected Russian group that used Coruna against Ukrainian targets – incorporated DarkSword into fresh watering hole campaigns on compromised Ukrainian websites, deploying a dataminer called GHOSTBLADE that harvests iMessage conversations, WhatsApp and Telegram data, photos, location history, Safari data, cryptocurrency wallet information, and device keychains.

DarkSword uses six vulnerabilities across its chain, including CVE-2025-31277 and CVE-2025-43529 (both JavaScriptCore memory corruption bugs), CVE-2026-20700 (a PAC bypass in dyld exploited as a zero-day), and additional sandbox escape and privilege escalation bugs. All six have now been patched – most in iOS 18.7.2/18.7.3, with the PAC bypass patched in iOS 26.3.

Any device running iOS 18.7.1 or earlier, or iOS 26.0 through 26.2, is potentially vulnerable to DarkSword variants and should be updated without delay.

How the Threat Landscape Has Evolved

The critical shift in 2025–2026 is the democratisation of high-quality iOS exploits. Both Coruna and DarkSword were used by multiple independent actors within months of their first appearance in the wild. DarkSword exploit code has since been published to GitHub, meaning any threat actor capable of hosting a website can now mount an iOS exploitation campaign against unpatched devices. This is a categorically different risk than the targeted spyware threat of previous years.

What Apple Is – and Isn’t – Doing

Apple has shipped a significant number of security mitigations over this decade, including Pointer Authentication Codes (PAC), the Page Protection Layer (PPL), the Secure Page Table Monitor (SPTM), and most recently memory integrity enforcement on iPhone 17. Lockdown Mode, introduced in 2022, does reduce the attack surface – it would have mitigated parts of both Coruna and DarkSword – but at a significant usability cost that makes it impractical for most users.

Apple also issues threat notifications when it has evidence a device may have been targeted. However, these notifications rely primarily on iMessage metadata and Apple service monitoring rather than on-device detection; they provide little actionable forensic detail about the nature or timeline of an infection.

What Apple does not ship is any on-device detection framework analogous to the Endpoint Security framework available on macOS. There is no mechanism for security tools to monitor process creation, file system access in sensitive directories, or crash log patterns in real time. Given that monitoring the /tmp directory and crash logs would have surfaced indicators for every major commercial spyware family documented over the past decade, this remains a significant gap.

In the absence of on-device visibility, network traffic monitoring is the only reliable method for remotely detecting an active spyware infection. Every implant documented in this post – from Pegasus to GHOSTBLADE – must communicate with a command-and-control server to exfiltrate data and receive instructions. That traffic, however well encrypted, has to traverse the network, and at that point it becomes detectable. Anomalous connections to raw IP addresses, unexpected domains, unusual data volumes from system processes, or traffic patterns inconsistent with normal application behaviour are all signals that network-layer monitoring can surface. On-device forensic analysis remains the gold standard for confirming and investigating a suspected infection, but for continuous, scalable detection across a fleet of corporate devices, the network is where the evidence reliably appears.

What Organisations Should Do

Immediately:

• Verify that all iPhones and iPads in your environment are running iOS 26.3 or later (or at minimum iOS 18.7.3). Devices below these versions remain vulnerable to DarkSword variants.
• Any device still on iOS 18.7.2 or earlier is exposed to DarkSword and must be updated or removed from corporate use.

Within three months:

• Review your mobile endpoint security strategy. If your mobile device management platform is your only security control, you have significant blind spots. MDM gives you an application list; it gives you nothing about exploitation activity.
• Implement network traffic monitoring for mobile devices. Network-layer anomalies are detectable even when on-device access is limited.

Within six months:

• Deploy a mobile threat defence (MTD) or mobile EDR tool that performs crash log analysis and forensic monitoring, not just application reputation checks and that continuously monitors network traffic for anomalies.  Establish an incident response procedure for suspected iOS compromise, including clear guidance on evidence preservation and access to forensic expertise.

Corrata provides mobile threat defence for iOS and Android, including network-level detection of spyware communication and vulnerability management to ensure devices are running patched OS versions. Learn more about Corrata’s spyware detection capabilities.