Apple’s latest iOS 26 release raises the bar for iPhone security, but leaked exploit kits circulating online are giving attackers a ready-made path into older devices, leaving a large swath of users exposed to spyware and data theft.
Security researchers at Google, iVerify, and Lookout have tracked broad campaigns wielding toolsets dubbed Coruna and DarkSword against users who haven’t upgraded. The operations, attributed in part to Russian intelligence units and Chinese cybercriminal groups, rely on hacked or fake websites to deliver drive-by infections capable of harvesting messages, files, and device data at scale.
In recent weeks, parts of these toolchains have leaked publicly, lowering the skill and cost needed to run iPhone hacking efforts. What once demanded rare zero-day exploits and specialist teams can now be replicated by copycats and low-tier brokers against anyone stuck on outdated software.
Two Security Realities For All iPhone Users
On the high end, iOS 26 running on the latest iPhone 17 hardware brings Memory Integrity Enforcement, a defense aimed squarely at memory-corruption bugs—the class DarkSword reportedly leans on. Combined with features like Lockdown Mode, these protections make modern devices markedly harder to compromise through common exploit chains.
But millions remain on iOS 18 or earlier, where memory-safety gaps and older mitigations leave more openings. Even if iOS adoption eventually reaches 80–90%, that still means 10–20% of a global iPhone base numbering in the billions stays vulnerable for weeks or months—translating into tens to hundreds of millions of reachable targets during the update lag.
What The Leaked Kits Change For iPhone Security
DarkSword and Coruna exemplify a new playbook: compromise a site your targets already trust, then invisibly probe the device and trigger a chain of memory bugs to seize control. Google’s analysts say DarkSword hinges on memory corruption, a category historically responsible for the majority of critical remote-code execution bugs across major platforms.
The public spill of exploit code accelerates copycat operations and shrinks defenders’ reaction windows. Justin Albrecht, a principal researcher at Lookout, warns of a thriving second-hand market where exploit developers can get paid twice—first by a government or broker, then again when a patched chain is resold or leaked before users update.
More attackers now have a shortcut to industrial-grade tradecraft. That doesn’t require novel zero-days; it only needs enough unpatched devices. As iVerify and Lookout note, the myth that iPhone compromises are inherently rare is often a measurement problem, not a capability gap.
Why iOS 26 Hardening Matters But Is Not A Panacea
Memory Integrity Enforcement aims to choke off a dominant bug class. Google’s Project Zero has long reported that memory-unsafe flaws account for the majority of serious exploits in the wild—regularly around the 60–70% range. Eliminating or neutralizing those pathways forces attackers to find costlier logic bugs, shift to baseband or supply-chain vectors, or rely more heavily on social engineering.
Lockdown Mode, introduced for high-risk users, also trims attack surface by disabling just-in-time compilation and tightening network and media parsing. Together with hardware-backed protections on newer chips, these raise attacker costs. Still, none of this helps if a device lingers on iOS 18 or earlier, where leaked kits can reuse already-known primitives with far higher success.
Guidance For iPhone Users And Organizations
Update immediately to iOS 26 and enable automatic updates, including Rapid Security Responses. High-risk users—journalists, activists, executives, and those traveling through high-surveillance regions—should consider Lockdown Mode, restrict profile installations, and avoid sideload-like workarounds. Treat unexpected website prompts and messaging attachments as suspicious, even if they appear to come from trusted contacts.
Enterprises should enforce minimum OS versions via MDM, block network access for noncompliant devices, and monitor for watering-hole activity and anomalous mobile traffic. Maintain an inventory of device models and OS levels, prioritize patch rollouts for high-risk roles, and subscribe to threat intelligence from teams like Google’s and Lookout’s to detect known Coruna and DarkSword indicators.
The Detection Gap And The Road Ahead For iPhone
Apple security expert Patrick Wardle has argued that labeling iPhone hacks “rare” often reflects limited visibility. Mobile platforms, by design, expose less telemetry, and sophisticated actors aim for stealth. As recent campaigns show, underreporting is not the same as absence.
Apple’s trajectory—expanding memory-safe code, deploying new mitigations like Memory Integrity Enforcement, and nudging rapid patching—is the right direction. But until lagging devices shrink to a rounding error, leaked exploit kits will keep converting small pockets of technical debt into large-scale compromise. The message is simple and urgent: patch fast, reduce attack surface, and assume adversaries are already testing the next chain.
