Coruna and DarkSword are advanced iOS exploit frameworks that shift iPhone compromise from rare, highly targeted espionage operations to scalable enterprise-level attacks. Capabilities once limited to intelligence agencies and commercial surveillance vendors are now accessible to a broader threat ecosystem.
Public leaks of exploit components and JavaScript proof‑of‑concept code have lowered the barrier to exploitation. Threat actors can reuse and share these components across underground communities to launch web‑based attacks. As a result, unpatched iOS devices pose a growing enterprise security concern.

 

Coruna is a sophisticated exploit framework that targets iPhones and iPads running vulnerable iOS versions. Its reported capabilities include:

• Multiple exploit chains covering 20+ vulnerabilities
• Web‑based exploit delivery mechanisms
• Full device compromise and data exfiltration

 

Unlike Coruna, which targets older iOS versions, DarkSword targets newer versions, including iOS 18.x. Some attack scenarios require only a single click on a malicious or compromised website, while others approach near zero-click execution.
DarkSword combines multiple advanced techniques, including:

• Zero‑day vulnerabilities
• WebKit browser exploitation
• Kernel privilege escalation
• Sandbox escape techniques
• Persistent spyware deployment

Once attackers compromise a device, they can potentially steal messages, credentials, and browser data, track device location, capture screenshots, record audio, and execute remote commands. In an enterprise context, this leads to stolen authentication tokens, hijacked SaaS sessions, intercepted MFA approvals, and long‑term surveillance of sensitive communications.

Apple addressed the vulnerabilities associated with Coruna and DarkSword in iOS 18.7.7, released on April 1, 2026. Apple also introduced visible security warnings within iOS settings to encourage immediate upgrades. The patched vulnerabilities include:

• CVE‑2026‑20700 — dyld PAC bypass
• CVE‑2025‑43529 — JavaScriptCore zero‑day memory corruption
• CVE‑2025‑43520 — Kernel memory corruption
• CVE‑2025‑43510 — Kernel copy‑on‑write memory management issue
• CVE‑2025‑31277 — JavaScriptCore memory corruption
• CVE‑2025‑14174 — ANGLE/WebGL memory corruption

Devices running older versions (iOS 18.4 through 18.7) remain significantly exposed.

Traditional Mobile Device Management (MDM) solutions focus on compliance and configuration. However, they do not detect advanced exploit chains that operate entirely in memory or abuse legitimate browser components. Check Point Mobile Security provides Mobile Threat Defense (MTD) capabilities that complement traditional device management and patching strategies.
The following table describes the key risk‑reduction functions provided by Check Point Mobile Security:

Coruna and DarkSword demonstrate that advanced iOS exploitation is no longer limited to elite threat actors. Patching alone is insufficient; organizations must implement Mobile Threat Defense (MTD) controls such as Check Point Mobile Security, to gain CVE-based risk visibility, web threat protection, and enforce conditional access before attacks impact the enterprise.

 

cp<r> reference for more details: https://research.checkpoint.com/2026/9th-march-threat-intelligence-report/