Coruna, DarkSword, and the End of “iPhones Don’t Get Malware

What Google Threat Intelligence Group (GTIG) and partners have documented about drive-by iOS exploit chains—and why patching matters more than vibes.

For years, the comfortable story went like this: Android is “open,” iOS is locked down, so you don’t hear about iPhone malware the same way. That was never a perfect mental model, but recent research is a blunt reminder that sophisticated attacks don’t need your permission—they need a browser, a vulnerable version of iOS, and a reason to target you.

The rule: assume “no news” is not the same as “no risk”

The thesis in one sentence: On modern phones, the scarcest resource isn’t your attention—it’s whether your OS is current when someone serves a web-based exploit chain.

That doesn’t mean you should panic every time you open Safari. It means “I’ve never heard of this” is a bad proxy for security—especially when the threat landscape is actively shared between commercial surveillance vendors, state-aligned actors, and financially motivated groups.

What researchers actually named (and why “Corona” isn’t the name)

In GTIG’s March 2026 analysis of the Coruna exploit kit, researchers explain the kit was internally named “Coruna” by its developers—recovered from debugging artifacts when an actor deployed a debug build that exposed internal codenames. (On the podcast we said “Corona”; the documented name is Coruna.)

GTIG describes five full exploit chains and 23 exploits targeting iOS 13.0 through 17.2.1, with extensive documentation and English-language comments in the recovered code—useful for analysts, not a reliable country-of-origin fingerprint.

How the attacks show up: watering holes and malicious web content

Drive-by compromise doesn’t require you to tap “Allow.” GTIG’s write-up describes how the same JavaScript framework showed up in hidden iframes on compromised sites—including Ukrainian sites in a summer 2025 campaign attributed to UNC6353, a suspected Russian espionage group—so visiting a normal-looking page could start the chain. Later, GTIG observed broad-scale use of the same kit on fake Chinese financial sites (crypto lures) by a different actor.

Google’s broader point: these capabilities proliferate—from surveillance vendors to espionage to financially motivated operators—mirroring a pattern Google has called out repeatedly. It’s less “one villain” and more “one exploit kit, many customers.”

DarkSword: the newer chain (and why iOS 18 users still matter)

GTIG’s follow-on analysis “The Proliferation of DarkSword” describes a separate full-chain exploit, DarkSword, targeting iOS 18.4 through 18.7 with six vulnerabilities and multiple zero-days used in the wild. GTIG observed commercial surveillance vendors and suspected state-sponsored actors using it across Ukraine, Saudi Arabia, Turkey, and Malaysia—and notes UNC6353 (who previously used Coruna) incorporating DarkSword into watering-hole campaigns.

Patching: GTIG reports vulnerabilities were disclosed to Apple and patched with iOS 26.3 (with many fixes landing earlier). If you’re on current iOS, you’re in the intended “fixed” posture—Settings → General → About is still the boring truth.

Partners: what “I verify” referred to

Google published DarkSword research in coordination with Lookout and iVerify—that’s the “I verify” name from the conversation. Treat third-party write-ups as explainers, not replacements for Apple’s security updates and Google Safe Browsing protections (GTIG adds domains to Safe Browsing to reduce repeat exposure).

Crypto wallets and “state tools” that leak

Crypto theft is a documented outcome in the Coruna ecosystem: reporting (e.g. BleepingComputer’s coverage) tracks how spyware-grade kits get repurposed for financial theft. That’s the real small-business angle: keys and seed phrases on a phone are a high-value target independent of your company’s size.

The EternalBlue analogy from the episode is directionally correct: EternalBlue was an exploit linked to leaked offensive tooling that became everyone’s problem. Whether any specific iOS kit is “U.S.-developed,” “leaked,” or simply sold and resold is attribution territory—journalists and researchers should label uncertainty; defenders should still patch.

What to do (boring, effective)

1. Update iOS to the latest release your hardware supports. GTIG explicitly says Coruna does not work against the latest iOS at time of publication; DarkSword is addressed in the iOS 26.3 patch window described in their post.
2. Consider Lockdown Mode if you’re a plausible target (journalists, activists, execs, contested geographies). GTIG notes Coruna’s kit backs off when Lockdown Mode is on or Safari is in Private Browsing—not a everyday default for everyone, but a real lever.
3. Don’t treat “restart your phone” as a policy. It might affect some ephemeral behaviors, but your durable defense is vendor patches and reducing exposure (updated OS, cautious browsing, hardware-backed keys for crypto where possible).

Sources

• Google Cloud — Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
• Google Blog — State-backed attackers and commercial surveillance vendors repeatedly use the same exploits
• Google Cloud — The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
• Lookout — DarkSword
• iVerify — DarkSword iOS exploit kit explained
• Google — Safe Browsing
• BleepingComputer — Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks
• Wikipedia — EternalBlue
• Apple Support — Lockdown Mode