Apple has issued an unusual warning, urging iPhone users to update their devices immediately following new cybersecurity research showing that Russian intelligence, Chinese cybercriminals and other malicious hackers are using advanced tools to compromise devices running outdated versions of iOS.
The tools, known as DarkSword and Coruna, are no longer isolated vulnerabilities but full exploit kits. They were described this month by Google and cybersecurity firms iVerify and Lookout as systems that give hackers deep remote access to iPhones, including the ability to extract virtually all stored data.
Large-scale data extraction
iVerify said the level of access is extensive. "DarkSword appears to be a surveillance and intelligence gathering tool, blanket pulling data including Wi-Fi passwords, text messages, call history, root location history, browser history, SIM card and cellular data as well as health, notes and calendar databases," the company said.
Apple stressed that the tools are effective primarily against devices running older software versions. "Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices," Apple’s spokesperson, Sarah O’Rourke, said in a statement.
Security experts interviewed by international media described the findings as concerning. Despite Apple’s reputation for strong security, older versions of iOS appear to be particularly vulnerable, creating a gap that attackers actively exploit.
Researchers said several groups have already been targeted using these tools, including Ukrainian civilians reportedly targeted by Russian intelligence, crypto users in China and individuals in Saudi Arabia, Turkey and Malaysia. No attacks against Americans or Israelis have been reported so far, but experts warned that any user with an outdated operating system could be at risk.
Apple noted that iOS 26, released in September, already includes protections against these tools. Last week, the company took the unusual step of releasing a dedicated security update for older devices that cannot upgrade to the latest version, aiming to block the exploits.
Instead of chasing the victims, the hacker waits for them
Cybersecurity experts said DarkSword and Coruna infect devices via a watering hole attack, a method in which the attacker does not directly target the victim but instead waits for them on a website they regularly visit. Attackers compromise or replicate websites commonly visited by their targets and embed malicious code.
Once a user visits the site, the code exploits vulnerabilities in the device, such as those found in outdated iPhones, and can infect it automatically without requiring any downloads or suspicious clicks. This makes the attack particularly dangerous because users do not need to make a mistake to be compromised.
At the same time, breaking into an iPhone remains technically complex. These tools rely on a chain of multiple vulnerabilities working together to gain control of a device, with their key advantage being the ability to package these chains into ready-to-use kits for hackers.
“There’s been this perception in the security community that attacks against iPhones are like mythical beasts, they’re rare,” Rocky Cole, chief operating officer at iVerify, told NBC. “Nah, we just don’t really have the tools to see these. I have a feeling that it’s more pervasive than people think.”
In practical terms, while the iPhone remains one of the most secure smartphones on the market, that protection depends heavily on staying up to date. Users who have not yet updated their devices are now being urged to do so immediately.