The iPhone Spyware Problem Didn't Go Away. It Grew a Business Model.

Threat in the Wild

Earlier this year, two powerful iPhone exploit kits surfaced within two weeks of each other. Months on, the more important story is not the kits themselves. It is that the market behind them has kept maturing, and hundreds of millions of devices are still sitting on vulnerable software.

What actually changed

When researchers at Google's Threat Intelligence Group, iVerify, and Lookout disclosed the exploit kits known as Coruna and DarkSword, the headline was the capability. DarkSword could silently compromise iPhones running iOS 18.4 through 18.7 through nothing more than a visit to a compromised web page. No download, no click to install. Within seconds to minutes it pulled Wi-Fi passwords, messages, call history, location history, browser history, and health, notes, and calendar data, then deleted its own files and exited before most security scans could catch it.

That was alarming. What has happened since is the part worth paying attention to now.

A newer version of DarkSword has already leaked. Both kits were built by third parties and resold, and researchers have warned that this second-hand market is turning tools once reserved for nation-states into something closer to off-the-shelf products. The financial incentive is simple: an exploit developer can get paid more than once for the same work. When that happens, capability that used to be rationed to a handful of intelligence agencies starts showing up in the hands of criminals and commercial surveillance vendors with far less discretion about who they point it at.

There are now two classes of iPhone user

Security researchers have started describing the iPhone landscape in blunt terms: there are two classes of user.

The first runs the latest iOS on recent hardware, where features like Memory Integrity Enforcement and Lockdown Mode neutralize the exact memory-corruption techniques these kits rely on. Apple has stated it is not aware of any successful mercenary spyware attack against a device with Lockdown Mode enabled.

The second runs iOS 18 or older. Those devices remain exposed to attacks we already know are being used in the wild, and analyst data suggests a very large number of people simply have not upgraded. That gap, months after the disclosures and after Apple pushed critical updates and lock-screen alerts, is the real vulnerability.

Do this now

Update your iPhone. On the device, open Settings, then General, then Software Update, and install the latest version. As of this writing that is iOS 26.5.2, which is well beyond anything these kits targeted. iOS 27 is due this fall, so expect another prompt then, and take it.

If you cannot update, or your role makes you a higher-value target, enable Lockdown Mode. It blocks the additional bypasses these chains require. Anyone who receives an Apple Threat Notification should treat it seriously and consider a forensic review.

Patch discipline is the floor here, not the ceiling.

What this means for your organization

The exploit-as-a-service market is not a future problem. It is the current operating environment. Tools that used to signal a nation-state adversary now signal very little about who is behind an attack, because the same kit can be bought, resold, and repurposed by a financially motivated actor within weeks.

That collapses a comforting assumption. "We are not a nation-state target" no longer maps to "we are safe from nation-state-grade tools." And if your security posture still treats phones as low-risk endpoints, that assumption is worth revisiting today. Mobile devices hold credentials, executive communications, financial access, and location patterns. That makes them high value regardless of who is holding them, and regardless of whether your organization has ever considered itself a target.

ProAlign helps organizations understand and anticipate threats before they materialize. Whether you are assessing mobile threat exposure, conducting due diligence, or monitoring for indicators of compromise across your environment, our team is ready to help.

Next
Next

The Craft Keeps Getting Sharper: Reflections from OSMOSISCon 2026