Two software exploits capable of planting malware on potentially hundreds of millions of iPhones has surfaced over the past month, showing that such advanced exploits are being widely deployed, researchers said.
At least one of the two tools, known as “Coruna”, was initially developed for government use, Google security researchers said, with a separate report indicating the original source was a US military contractor.
Coruna, along with the second exploit, “Darksword”, both ended up in the hands of cybercriminals with financial motives, according to Google and two other computer security companies who reported on the two exploits.
US origin
The exploits show how powerful exploits developed for government use are falling into the hands of commercially motivated hackers and are being widely used.
Google said the first exploit, named Coruna by its original developer, was deployed in a series of global attacks in 2025.
It was made up of 23 different components and was used in “highly targeted operations” by an unnamed government customer of a “surveillance vendor”, Google said earlier this month.
The original developer of Coruna was likely to have been Trenchant, the surveillance technology division of US military contractor L3Harris, TechCrunch reported.
The outlet cited a former L3Harris employee as saying that “Coruna” was the “internal name of a component” and the technical details published by Google were “familiar”.
Coruna made its way into the hands of other users, including Russian government-backed spies, some Ukrainians, and Chinese criminals in “broad-scale” campaigns aimed at stealing money and cryptocurrency, Google said.
Phone hacking campaigns
The second exploit, Darksword, was planted on dozens of websites in Ukraine in recent weeks, said Google and cyber-security firms Lookout and iVerify, all three of which independently analysed both Coruna and Darksword.
Google said it observed multiple commercial vendors and suspected state-linked hackers using Darksword in campaigns in Saudi Arabia, Turkey, Malaysia and Ukraine.
The campaigns in Malaysia and Turkey were associated with Turkish commercial surveillance vendor PARS Defence, Google said.
iVerify and Lookout said Darksword was being delivered to iPhone users running iOS 18.4 to 18.6.2 who visited one of dozens of Ukrainian websites. The Apple software dates from March to August of last year.
Apple said the issues underlying the exploits targeted out-of-date software and that the vulnerabilities had been addressed by multiple updates.
