Apple doesn’t do panic. The company is famous for understatement — a “significant vulnerability” here, a “security fix” there, usually buried in a terse press release most people never read. So when Apple publishes a rare public support document urging iPhone users to update immediately and even recommending an extreme feature called Lockdown Mode for those who can’t, you should sit up and pay attention.

That’s exactly what happened in March 2026. Apple published a support document at support.apple.com warning that two sophisticated iOS exploit kits — named DarkSword and Coruna — are actively being used in the wild to compromise iPhones. Not theoretically. Not in a lab. Right now.

If you or someone you know has an older iPhone, this article is for you. We’re going to explain what’s happening, whether you’re at risk, and — most importantly — exactly what you need to do about it.

The Warning You May Have Missed

On March 21, 2026, Apple quietly published support document #126776, which is remarkable for what it actually says rather than what it glosses over.

In plain language, Apple acknowledged that:

  • Two powerful exploit kits (DarkSword and Coruna) are being actively used against older iPhones
  • Simply clicking a malicious link or visiting a compromised website can lead to the theft of everything on your iPhone
  • Devices running iOS 13 or iOS 14 are particularly vulnerable
  • Even devices on iOS 15 or 16 that haven’t updated to the latest patch are at risk
  • Apple recommends Lockdown Mode for devices that cannot be updated — an extreme security measure that Apple has previously described as a last resort for journalists, activists, and people targeted by governments

“If you’re using an older version of iOS and were to click a malicious link or visit a compromised website, the data on your iPhone might be at risk of being stolen,” Apple wrote in the document.

For Apple, that’s practically a fire alarm.

What Are DarkSword and Coruna? (Plain English, We Promise)

Before we get into the technical details, let’s make sure we’re on the same page about what these things actually are.

Exploit Kits: The Burglar’s Toolkit

An exploit kit is essentially a pre-packaged hacking toolkit. Imagine a burglar who doesn’t need to pick your lock themselves — they have a magic skeleton key that works on thousands of different models automatically. Exploit kits work the same way: they bundle together multiple software vulnerabilities and attack methods into one automated system that can be deployed against many targets at once.

Until recently, iOS exploit kits were extraordinarily rare. Apple’s tight control over its hardware and software ecosystem made iOS significantly harder to crack than Android. Professional hackers, governments, and intelligence agencies were spending millions of dollars to develop iOS exploits — and they guarded those tools jealously, using them only for the highest-value targets like journalists, dissidents, and heads of state.

That era is ending.

DarkSword: The Second iOS Framework in the Wild

DarkSword was first analyzed by Google’s Threat Intelligence Group (GTIG) and represents something the security world had hoped to avoid: a full iOS exploit chain being shared and reused across multiple hacking groups.

According to researchers, DarkSword combines six vulnerabilities in iOS and Safari — including three previously unknown zero-day flaws — into a single attack chain that can completely compromise an iPhone just by having the victim visit a malicious website. No app download. No password prompt. No warning of any kind.

The Risky Business security podcast described DarkSword as “the second iOS hacking framework found in the wild” — the phrasing matters because it signals this is no longer a one-off occurrence. This is a trend.

How DarkSword works technically (simplified):

The exploit chain targets three specific vulnerabilities:

  • CVE-2025-31277: A type confusion bug in Safari’s JavaScript engine (JIT optimization layer)
  • CVE-2025-43529: A garbage collection bug in the JIT layer, affecting more recent iOS versions
  • CVE-2026-20700: A bug in a core iOS system component (dyld) that lets attackers bypass Apple’s Pointer Authentication Codes — a key security feature

By chaining these together, attackers can go from “your browser loads a webpage” to “malware is running on your phone” in seconds, with full access to your data.

Coruna: 23 Exploits in a Single Chain

If DarkSword sounds bad, Coruna raises the stakes further. Coruna is a separate iOS exploit kit that strings together a staggering 23 individual exploits in a single attack chain — making it one of the most complex mobile attack frameworks ever documented.

Coruna has been linked to a suspected Russian state-sponsored threat actor tracked as UNC6353. Notably, the same group appears to be using both Coruna and DarkSword — suggesting they have access to a portfolio of iOS attack tools, not just one.

The overlap is deeply concerning: it means that even if Apple patches the specific vulnerabilities DarkSword uses, attackers have a fallback ready.

What Happens If You Get Hit?

Both exploit kits are designed to deliver malware called Ghostblade — and it’s remarkably thorough in what it steals.

The Ghostblade Payload: Everything on Your Phone

Once Ghostblade lands on your device through DarkSword, here’s what it can steal in a single sweep:

Communications:

  • ✅ SMS and iMessage messages
  • ✅ WhatsApp message history
  • ✅ Telegram message history
  • ✅ Email content

Personal data:

  • ✅ Photos and videos
  • ✅ Contacts
  • ✅ Calendar entries
  • ✅ Notes
  • ✅ Health data

Location and connectivity:

  • ✅ GPS location history
  • ✅ Wi-Fi network names and passwords
  • ✅ SIM card information

Security-sensitive data:

  • ✅ Saved passwords (keychain items)
  • ✅ Safari browsing history and cookies
  • ✅ A list of every app installed on your phone

Cryptocurrency and financial data:

  • ✅ Data from major crypto exchange apps (Coinbase, Binance, Kraken, KuCoin, OKX, Mexc)
  • ✅ Data from crypto wallet apps (Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom)

It Covers Its Tracks

One of the most alarming aspects of Ghostblade is that it’s designed for forensic evasion. Once it’s done stealing your data, it deletes its own temporary files and terminates itself.

This means many victims will never know they were compromised. There’s no obvious sign anything happened. Your phone looks and works perfectly normally — while somewhere, a threat actor has a complete copy of your digital life.

As Malwarebytes researchers put it: because Ghostblade wipes its traces after exfiltrating all that data, “it can take a long time before victims figure out something is wrong. Many victims may never know they were compromised.”

Am I Affected? How to Check Your iOS Version Right Now

This is the most important section of this article. Let’s figure out if you need to take action.

Step 1: Check Your iOS Version

  1. Open the Settings app on your iPhone
  2. Tap General
  3. Tap About
  4. Look at the iOS Version field

Step 2: Read the Version Number

Here’s what different version numbers mean for your risk level:

🔴 HIGH RISK — Update immediately:

  • iOS 13 (any version, e.g., 13.7)
  • iOS 14 (any version, e.g., 14.8.1)
  • iOS 15.0 through 15.8.6
  • iOS 16.0 through 16.7.14

🟡 MODERATE RISK — Update if possible:

  • iOS 18.4 through 18.7 (DarkSword specifically targets these versions)

🟢 LOWER RISK — Still check for updates:

  • iOS 15.8.7 or newer
  • iOS 16.7.15 or newer
  • iOS 17.x (latest)
  • iOS 18.7.3 or later
  • iOS 26.2 or later

✅ SAFE (DarkSword and Coruna patched):

  • The latest available iOS for your device

A Quick Note on “Lower Risk”

Being on 15.8.7 or 16.7.15 doesn’t mean you’re completely safe from every threat — only that you’re patched against the specific exploits in DarkSword and Coruna. Staying updated is always the right call.

Which Devices Are Affected?

Almost any iPhone released in the last decade could be affected if it’s running an outdated iOS version. The exploit kits specifically target:

  • iPhones running iOS 13 or 14 (these devices typically can’t upgrade past their maximum supported iOS)
  • iPhones that can run iOS 15 or 16 but haven’t been updated to the latest patch versions
  • Interestingly, even newer iPhones on iOS 18.4 through 18.7 are vulnerable to DarkSword’s specific exploit chain

The “older iPhone” framing in Apple’s warning relates primarily to devices stuck on iOS 13 or 14, which have no pathway to receive the critical patches except to upgrade to iOS 15 (which Apple is making available, with a specific Critical Security Update to follow).

How the Attack Actually Works (And Why It’s Scary)

Most people assume that to get malware on their phone, they have to download a suspicious app or fall for an obvious phishing scam. DarkSword and Coruna shatter that assumption.

The Drive-By Attack: Just Visit a Website

Both exploit kits are delivered through what security researchers call a watering hole attack. Here’s how it works:

  1. Attackers compromise a legitimate website — in some documented cases, this included government websites in Ukraine and fake lookalike pages (like a fake Snapchat site in Saudi Arabia)
  2. You visit that website in Safari — it could look completely normal
  3. Malicious JavaScript code executes in your browser automatically
  4. The exploit chain begins without any interaction from you — no click, no download, no permission prompt
  5. Within seconds, your device is compromised

This is called a drive-by attack — you don’t have to do anything wrong. You just have to visit the wrong page at the wrong time.

Why Safari? Why Not Chrome?

Safari is deeply integrated with iOS in ways that Google Chrome or other browsers are not. Because of Apple’s rules, even third-party browsers on iPhone use Apple’s WebKit engine underneath. This means that vulnerabilities in Safari’s JavaScript engine (WebKit/JavaScriptCore) affect your entire iPhone — not just Safari.

In practical terms: even if you don’t use Safari, you’re still potentially vulnerable if you’re using any browser on an unpatched iPhone.

Real-World Campaigns Already Running

Google’s Threat Intelligence Group documented actual attacks in the wild:

  • Ukraine: Attackers compromised at least two Ukrainian websites, including a government site, and used them to deliver DarkSword/Ghostblade to visitors
  • Saudi Arabia: A fake Snapchat lookalike site was used to target victims
  • Turkey and Malaysia: Campaigns were observed but details are limited

The threat actors range from commercial spyware vendors (the kind that sell to corporations and governments) to state-backed hackers — meaning your phone could be targeted for espionage, financial theft, or both.

Spencer Parker, chief product officer at security firm iVerify, made this chilling assessment: “Nation-state-grade mobile exploitation is now available for mass attack.”

Step-by-Step: How to Update Your iPhone Right Now

This is the single most important thing you can do. Here’s exactly how to do it.

  1. Connect your iPhone to Wi-Fi (updates won’t download over cellular by default)
  2. Plug your iPhone into a charger (or make sure you have at least 50% battery)
  3. Open Settings
  4. Tap General
  5. Tap Software Update
  6. If an update is available, tap Download and Install
  7. Enter your passcode when prompted
  8. Tap Install Now (or Tonight to install while you sleep)
  9. Your phone will restart — this is normal

Option 2: Update via iTunes/Finder (if the phone won’t update over Wi-Fi)

  1. Connect your iPhone to a Mac or PC with a USB cable
  2. On Mac (macOS Catalina or later): Open Finder, click your iPhone in the sidebar
  3. On PC or older Mac: Open iTunes
  4. Click Check for Update
  5. Click Download and Update
  6. Follow the prompts

Specific Version Targets

Here’s what you’re aiming for based on your device:

Your Current iOSWhat to Update To
iOS 13.xiOS 15 + Critical Security Update (coming soon)
iOS 14.xiOS 15 + Critical Security Update (coming soon)
iOS 15.0–15.8.6iOS 15.8.7
iOS 16.0–16.7.14iOS 16.7.15
iOS 18.4–18.7iOS 18.7.3 or iOS 26.2
Any versionThe latest available for your device

What If My iPhone Says It’s Already Up to Date?

If Software Update says “iOS X.X.X — Your software is up to date,” and that matches one of the safe versions above, you’re good. If it’s showing an older version as “up to date,” that means your device cannot run a newer version — see the “What to Do If You Can’t Update” section below.

What Is Lockdown Mode — And Should You Use It?

Apple’s official guidance includes recommending Lockdown Mode for devices that can’t be updated to a patched iOS version. But what is it, and is it right for you?

Lockdown Mode: Apple’s Extreme Security Shield

Lockdown Mode is an optional feature Apple introduced in iOS 16. It’s designed for people who face extraordinary digital threats — journalists, human rights workers, lawyers handling sensitive cases, corporate executives with access to valuable secrets, and activists in authoritarian countries.

When you enable Lockdown Mode, your iPhone essentially goes into a hardened “no tourists” mode:

What Lockdown Mode blocks or restricts:

  • Most message attachment types are blocked (only certain image types allowed)
  • Dangerous web browsing technologies like JIT JavaScript are disabled (this specifically helps against DarkSword-style attacks)
  • FaceTime calls from unknown contacts are blocked
  • Wired connections to computers are blocked when the phone is locked
  • Configuration profiles and mobile device management cannot be installed

The trade-off: Your phone will be noticeably less convenient to use. Some apps may not work properly. Certain websites may load incorrectly or partially.

Should YOU Enable Lockdown Mode?

Apple’s guidance is clear: if your device cannot run a patched iOS version and you want to reduce your exposure, Lockdown Mode is the recommended mitigation.

However, for most regular users, updating your iOS is far better than relying on Lockdown Mode. Lockdown Mode is a compensating control — it reduces risk but doesn’t eliminate vulnerabilities the way a patch does.

Consider Lockdown Mode if:

  • ✅ Your device physically cannot update to a newer iOS version
  • ✅ You handle sensitive information professionally (legal, medical, journalistic)
  • ✅ You have reason to believe you’re a potential target for targeted attacks
  • ✅ You’re comfortable with a less convenient phone experience

You probably don’t need Lockdown Mode if:

  • ✅ You can update your iOS to a patched version (just do that instead)
  • ✅ You’re an average user with no specific reason to be targeted

How to Enable Lockdown Mode

If you decide to use it:

  1. Open the Settings app
  2. Tap Privacy & Security
  3. Scroll down and tap Lockdown Mode
  4. Tap Turn On Lockdown Mode
  5. Read the information presented and tap Turn On Lockdown Mode
  6. Tap Turn On & Restart
  7. Enter your device passcode when prompted

Your phone will restart with Lockdown Mode active. You can always turn it off the same way.

Why Two Separate Frameworks Is a Much Bigger Story

Here’s the thing about DarkSword and Coruna that goes beyond “update your phone”: the existence of two separate, sophisticated iOS exploit kits represents a fundamental shift in the threat landscape.

iOS Used to Be a Hard Target

For most of the last decade, iOS exploits were extraordinarily rare and expensive. Professional hackers — including government intelligence agencies — would spend years and millions of dollars developing a working iOS exploit chain. The companies that develop these tools (like NSO Group, maker of Pegasus spyware) would charge governments hundreds of thousands or even millions of dollars per target.

This high cost was actually a form of security for ordinary people. Even if a government wanted to compromise your iPhone, the cost and complexity meant they reserved such attacks for high-value targets.

The Market Has Changed

DarkSword and Coruna signal that iOS exploit technology has become commoditized — available to a wider range of actors at a lower cost. iVerify’s research found that “the exploit’s relative simplicity to deploy, along with its quick adoption by multiple threat actors in multiple countries, signals that these powerful tools are now readily available on the secondary market for less-sophisticated actors.”

In other words: what used to require nation-state resources is now being shopped around to anyone with a budget.

This is the “growing commercialization of iOS exploits” that security researchers are warning about. It means:

  1. More threat actors have access to iOS attack capabilities
  2. More campaigns will use these tools against a wider variety of targets
  3. Ordinary people — not just dissidents and executives — are increasingly at risk
  4. The window between exploit discovery and mass exploitation is shrinking rapidly

The Risky Business Factor

The Risky Business security podcast, one of the most respected voices in the cybersecurity industry, flagged DarkSword as “the second iOS hacking framework found in the wild.” That framing — second — implies a pattern. Two frameworks in quick succession suggests this is a trend, not an anomaly.

If two iOS exploit kits are in active circulation in 2026, how many more might exist that haven’t been discovered yet?

What to Do If You Can’t Update

Some older iPhone models simply cannot run iOS 15 or later. If you’re in that situation, here’s your realistic action plan.

First: Know Your Device’s Maximum iOS

iPhone ModelMaximum iOS
iPhone 6iOS 12.5.7
iPhone 6s / 6s PlusiOS 15.8.x
iPhone 7 / 7 PlusiOS 15.8.x
iPhone 8 / 8 PlusiOS 16.7.x
iPhone XiOS 16.7.x
iPhone XS / XR and neweriOS 17+ or iOS 18+

If your phone’s maximum iOS is iOS 12 or older, you’re in a difficult position. These devices cannot receive the patches for DarkSword or Coruna.

Your Options If You’re Stuck on Old iOS

Option 1: Use Lockdown Mode (if available) If your device supports it (iOS 16 and later), enable Lockdown Mode as described above. This significantly reduces your attack surface even without a full patch.

Option 2: Change your browsing habits If you cannot update and cannot enable Lockdown Mode, you can reduce risk through behavior:

  • ✅ Avoid clicking links in text messages, emails, or social media from unknown senders
  • ✅ Don’t visit unfamiliar websites on your unpatched phone
  • ✅ Use your phone mainly for calls and text — minimize web browsing
  • ✅ Avoid storing sensitive passwords or financial information on the device
  • ✅ Never log into banking, crypto, or high-value accounts from an unpatched device

Option 3: Limit sensitive data on the device

  • Move high-value crypto assets off mobile wallets entirely
  • Use a dedicated hardware wallet for significant crypto holdings
  • Don’t store sensitive work documents or communications on a device you can’t patch

Option 4: Consider upgrading your hardware If your phone genuinely cannot receive security patches, it is — bluntly — no longer safe for anything sensitive. A refurbished iPhone 8 or newer can often be found for under $100 and will support current iOS security updates. The cost of a cheap upgrade is almost certainly less than the cost of having your financial accounts, identity, or sensitive communications stolen.

A Note on iOS 13 and 14 Users

Apple’s guidance specifically calls out iOS 13 and iOS 14 users: update to iOS 15. If you’re running iOS 13 or 14, your device can run iOS 15 — you just haven’t updated. This is the most important action you can take. Apple has also announced a “Critical Security Update” for iOS 15 users coming in the next few days of this writing. Get to iOS 15 and then apply that update immediately.

The Bigger Picture: What This Means for iPhone Security

Let’s zoom out for a moment. Because DarkSword and Coruna aren’t just a problem for people with old phones — they’re a signal about where iPhone security is heading.

The End of “iPhone is Unhackable”

For years, there was a cultural assumption that iPhones were effectively hacker-proof for ordinary users. Android was the “risky” platform. iOS was the safe choice.

That was never entirely true — but it was more true than it is today. The emergence of commercially available, widely-deployed iOS exploit kits means the gap between iOS and Android security is narrowing.

This isn’t Apple’s fault, exactly. They’ve been remarkably aggressive about patching vulnerabilities and even created Lockdown Mode precisely because they understood this threat was coming. But the attackers are catching up.

Updates Are Non-Negotiable Now

The single most important lesson from DarkSword and Coruna is this: iOS updates are not optional.

For years, many users treated iOS updates as optional — annoying interruptions that changed their familiar interface. “It’s fine,” people would say. “My phone works perfectly.”

DarkSword and Coruna prove that “works perfectly” is not the same as “is safe.” A drive-by exploit doesn’t care how smooth your screen animations are or whether your favorite app has a bug in the latest iOS version. It only cares whether you’re running patched software.

Enabling automatic updates is now a security necessity:

  1. Go to SettingsGeneralSoftware Update
  2. Tap Automatic Updates
  3. Enable both Download iOS Updates and Install iOS Updates

This way, security patches install overnight while you sleep, without you needing to think about it.

The Broader Security Checklist

Beyond updating, here are security habits that protect you in a world where iOS is increasingly targeted:

Essential (everyone should do these):

  • Enable automatic iOS updates
  • Use a strong, unique passcode (6+ digits or alphanumeric)
  • Enable Face ID or Touch ID
  • Use a password manager for unique passwords on every account
  • Enable two-factor authentication on your Apple ID and major accounts

Important (reduces your attack surface significantly):

  • Be skeptical of unsolicited links — even from “known” contacts if it seems off
  • Don’t jailbreak your iPhone (removes important security restrictions)
  • Review which apps have access to your location, photos, contacts, microphone, and camera
  • Use content blockers in Safari to reduce exposure to malicious scripts
  • Enable “Private Browsing” for sensitive research

For higher-risk individuals:

  • Consider Lockdown Mode
  • Use a VPN on untrusted Wi-Fi networks
  • Move significant crypto holdings to hardware wallets
  • Enable FIDO2 hardware security keys for critical accounts

What About Future iOS Exploit Kits?

Security researchers expect more iOS exploit kits to emerge. The commercialization of these tools creates a market where finding iOS vulnerabilities is extremely lucrative — state-sponsored hackers, criminal groups, and “gray market” exploit brokers all have financial incentives to develop new attack chains.

Apple is working hard to stay ahead: they created the Security Research Device Program, they pay significant bug bounties (up to $1 million for certain iOS exploits), and features like Lockdown Mode show they’re building for extreme threat scenarios. But the arms race will continue.

The best individual defense remains the oldest advice in cybersecurity: keep your software updated. It’s not glamorous, but it works.

Summary: Your Action Checklist

Here’s everything you need to do, in order of priority:

Right Now (Do This Today)

  • Check your iOS version: Settings → General → About → iOS Version
  • Update your iPhone to the latest available iOS version
  • Enable automatic updates: Settings → General → Software Update → Automatic Updates → ON

If You Can’t Update

  • Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode)
  • Stop browsing the web on the unpatched device until you can replace it or update
  • Remove sensitive accounts — don’t use banking, crypto, or work email on an unpatched device
  • Consider upgrading your hardware — this is no longer optional for security

Ongoing Security Habits

  • Be skeptical of links — even from trusted contacts
  • Use unique passwords with a password manager
  • Enable two-factor authentication everywhere possible
  • Review app permissions regularly
  • Watch for any unusual activity in your financial accounts

Final Word

A dark sword hanging over your iPhone might feel like something out of a thriller novel. But DarkSword and Coruna are real, they’re being actively used right now, and they can steal everything on your device with nothing more than a webpage visit.

The good news: unlike many security threats, this one has a clear, free fix. Update your iPhone. That’s it. Apple has done the hard work of identifying these vulnerabilities and building patches for them. All you need to do is install them.

You spend a lot of time and money on your iPhone, and you trust it with everything — your conversations, your photos, your bank accounts, your identity. Take five minutes today to make sure it’s protected.

Go to Settings → General → Software Update. Do it now, while you’re thinking about it.

Your future self — the one whose identity hasn’t been stolen and whose crypto wallet is still intact — will thank you.

Sources: Apple Support Document #126776, Google Threat Intelligence Group DarkSword analysis, Malwarebytes mobile security blog, iVerify iOS security research, The Hacker News, Help Net Security, CyberScoop.