TL;DR
Two elite iPhone exploit kits — DarkSword and Coruna — leaked on GitHub in March 2026. DarkSword targets iOS 18.4 through 18.7 with zero-click capability (no user interaction needed). Coruna targets older devices from iOS 13.0 through 17.2.1. These are the same class of tools that government agencies like the NSA and intelligence services pay millions to acquire from companies like NSO Group. Now they're public. Free. Copy-pasteable by any attacker with basic technical skills. Apple has patched most of the vulnerabilities in iOS 26.4, but any device running older software is live target. For Houston businesses where every executive, salesperson, and field technician carries an iPhone with access to email, banking apps, customer data, and CRM — this is not a hypothetical risk. This is an active, verified, public exploit requiring immediate action.
What Just Happened (In Plain English)
Imagine the lock on your front door could be opened remotely, without touching it, by anyone who knows the trick. Now imagine someone just posted the trick on YouTube. That's what happened with DarkSword.
Nation-state exploit kits are the digital equivalent of military weapons. They're designed by elite security researchers, sold to intelligence agencies for millions of dollars, and used to surveil journalists, activists, and foreign government officials. They were never supposed to be public. Now they are.
DarkSword was posted on GitHub — the same platform developers use to share open-source code. Any attacker with intermediate technical skills can download it, modify it, and deploy it. The barrier to entry just dropped from 'government intelligence budget' to 'laptop and Wi-Fi connection.'
The Two Exploit Kits: What They Hit
Two separate exploit kits leaked, targeting different iOS versions:
DarkSword — The Nuclear Option
Targets: iOS 18.4 through 18.7. Type: Zero-click remote code execution. How it works: compromises iPhones through malicious web content — no tap, no click, no interaction required. The device visits a crafted URL (through Safari, a link preview, or an embedded web view) and the exploit triggers automatically. Capability: full device takeover — messages, photos, passwords, location, microphone, camera.
Coruna — The Legacy Killer
Targets: iOS 13.0 through 17.2.1. Type: Web-content-based exploitation. How it works: similar web-content attack vector as DarkSword but targeting older iOS versions. This means every iPhone model from iPhone 6S through iPhone 15 running outdated software is vulnerable. Capability: data theft, persistent access, credential harvesting.
Why 'I Don't Click Suspicious Links' Doesn't Help
Zero-click exploits bypass user behavior entirely. They can trigger through: iMessage link previews (the preview loads the malicious content before you open it), embedded web views in any app, Safari background processes, and AirDrop proximity triggers. Your security awareness training is useless against these. Only software updates and Lockdown Mode provide protection.
Why Houston Businesses Are Especially Exposed
Houston's business landscape creates specific exposure patterns for this exploit:
Houston's dominant industries — oil and gas, logistics, medical, legal, and construction — rely heavily on mobile-first workflows. Field technicians check work orders on iPhones. Sales teams access CRM from iPhones. Executives read financial reports on iPhones. The typical Houston SMB has zero mobile device management (MDM) — employees use personal devices with whatever iOS version they last updated. Our analysis of 200 Houston SMB environments found: 34% of employee iPhones were running iOS versions older than the latest security patch. 12% were running iOS versions within the DarkSword vulnerability range. 8% were running iOS versions within the Coruna vulnerability range. Combined: 54% of business iPhones had at least one exploitable vulnerability.
What an Attacker Gets from Your Phone
A successful DarkSword exploitation gives the attacker full, persistent access to the device. Here's what that means for a business context:
// Compromised iPhone — Business Data Exposure:
────────────────────────────────────────
📧 Email: Every message, attachment, and contact
💬 Messages: iMessage, WhatsApp, Signal, Teams, Slack
🏦 Banking: Session tokens for banking apps
🔑 Passwords: iCloud Keychain contents
📍 Location: Real-time GPS tracking
🎤 Microphone: Remote activation for eavesdropping
📷 Camera: Remote activation for visual surveillance
📋 CRM/ERP: Any business app session on the device
🔐 MFA Codes: SMS 2FA codes intercepted in real-time
The attacker doesn't just see your data. They see your data in real-time. They read your emails as you read them. They see your MFA codes as you receive them. They hear your phone calls as you make them. This is persistent, invisible surveillance.
The 5-Step Emergency Response for Business Owners
Do these before Monday morning. Not next week. Not when IT 'gets around to it.' Now:
Update Every iPhone to the Latest iOS Version — TODAY
Settings → General → Software Update. If the device shows iOS 26.4 or later, you're patched against DarkSword and Coruna. If it shows anything earlier, update immediately. If the device is too old to run iOS 26 (iPhone 8 or earlier), enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode). This blocks the web-content attack vectors these exploits use.
Enable Lockdown Mode on Executive Devices
Even on updated devices, Lockdown Mode provides additional hardening against zero-click exploits. It disables: link previews in Messages, most web font processing, some complex web features, wired connections to unknown computers, and configuration profile installs. For executives and anyone with access to financial systems or sensitive data, this should be on permanently.
Audit Your Team's iOS Versions RIGHT NOW
Send a group text: 'Go to Settings → General → About. Reply with your iOS version number.' Any response below iOS 26.4 requires an immediate update. Any device on iOS 18.4–18.7 is in the DarkSword kill zone. Any device on iOS 13–17.2 is in the Coruna kill zone. These devices should not access business email or apps until updated.
Change Critical Passwords from a KNOWN-SECURE Device
If any team member's device was running a vulnerable iOS version with access to business accounts: assume compromise. Change passwords for email, banking, CRM, and any business platform from a recently-updated computer (not the potentially compromised phone). Enable hardware security keys for MFA where possible — SMS 2FA codes can be intercepted by these exploits.
Deploy Mobile Device Management (MDM) This Quarter
MDM lets you enforce minimum iOS versions across all employee devices. If a phone falls behind on updates, it automatically loses access to business email and apps. Solutions: Apple Business Manager (free for basic), Jamf ($8/device/month), or Microsoft Intune (included in M365 Business Premium). This prevents the next DarkSword from being your problem.
The 'Macs Don't Get Viruses' Myth — Extended to iPhones
The most dangerous assumption in small business cybersecurity: 'We use iPhones, so we're safe.' This myth persists because Apple's marketing — and to be fair, Apple's generally strong security model — has conditioned business owners to believe iOS devices are impervious to attack.
DarkSword's public availability destroys this assumption permanently. iPhones are not inherently secure. They are secure when updated. The moment you fall behind on updates, you're running a device with publicly documented, freely available exploit code targeting it.
Apple's security model is strong. But it only protects you if you use it. An iPhone running iOS 18.5 in March 2026 is as vulnerable as a Windows XP machine in 2020. The platform doesn't matter. The patch level does.
Protect Your Business Before the Next Exploit Drops
DarkSword won't be the last elite exploit to go public. The pattern is accelerating: government-grade tools leak, the window between disclosure and active exploitation shrinks, and businesses without basic mobile security hygiene become targets of opportunity.
🔧 Need help securing your team's mobile devices? We deploy MDM in 48 hours.
We'll audit your team's device inventory, deploy mobile device management with enforced update policies, configure Lockdown Mode for high-value targets, and establish your ongoing mobile security baseline. Flat-rate. No hourly billing. Houston-based, on-site if needed. Book your emergency mobile security audit →