Apple is urging iPhone users to update their devices after cybersecurity researchers uncovered two exploit kits called DarkSword and Coruna that have been used by suspected Russian intelligence operatives and Chinese cybercriminals to compromise iPhones running outdated software.
The findings, published this week by Google's Threat Intelligence Group alongside mobile security firms Lookout and iVerify, reveal that a suspected Russian-backed group tracked as UNC6353 deployed both toolkits primarily against Ukrainian targets through "watering hole" attacks on compromised websites.
DarkSword targets iPhones running iOS versions 18.4 through 18.7 and can steal passwords, photos, cryptocurrency wallet credentials, WhatsApp and Telegram messages, browser history, and other personal data before wiping its traces and disappearing from the device.
iVerify estimated that up to 270 million iPhone users could be susceptible to the exploits, while Lookout told CyberScoop that roughly 15% of all iOS devices currently in use are running vulnerable software. Google also found DarkSword was used against targets in Saudi Arabia, Turkey, and Malaysia.
The discovery follows an earlier TechCrunch report that the Coruna toolkit -- a 23-component hacking package first identified in early March -- was originally developed by US defense contractor L3Harris before ending up in the hands of Russian spies and Chinese cybercriminals.
"All signs point to the Russian government," iVerify co-founder Rocky Cole told TechCrunch. Lookout researcher Justin Albrecht described UNC6353 as "a well-funded and connected threat actor conducting attacks for financial gain and espionage in alignment with Russian intelligence requirements".
Researchers also noted that someone used a large language model to customize both toolkits, effectively lowering the barrier for deploying advanced mobile exploits. The server-side component of DarkSword included AI-generated code with detailed comments -- poor operational security for a state-linked actor, Albrecht said.
Google reported the vulnerabilities to Apple in late 2025, and all flaws were patched with the release of iOS 26.3 in February, though most had been addressed in earlier updates.
Apple stated it was "aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific individuals on versions of iOS before iOS 26".
Security researchers recommend updating immediately and regularly restarting devices, which can flush memory-resident malware. For high-value targets, Apple's Lockdown Mode offers the strongest known defense against spyware.