DarkSword and Coruna are sophisticated iOS malware strains leveraging zero-click infection techniques via malicious code injected into legitimate websites. DarkSword targets iOS 18 and older versions, exploiting a chain of six vulnerabilities to escape sandbox and escalate privileges, while Coruna targets iOS 13 through 17.2.1 using 23 vulnerabilities primarily in WebKit. Both malware strains operate filelessly in RAM and harvest a wide range of sensitive data including messaging app content, browser history, calendar, notes, health data, and crypto-wallet credentials. These tools were originally developed by state-affiliated entities and leaked to cybercriminal groups, enabling mass infections of everyday users rather than only high-profile targets. The malware does not persist after reboot. Apple has issued patches across multiple iOS versions, including older ones, and recommends enabling Background Security Improvements and Lockdown Mode to reduce risk.

The malware enables attackers to silently compromise iOS devices without user interaction, leading to theft of sensitive personal data and cryptocurrency. The infection affects a broad user base, including everyday users, not just high-risk individuals. The fileless nature means the malware resides only in RAM and disappears after reboot, complicating detection and persistence. The widespread leak and availability of source code increase the risk of further adaptations by other threat actors. Infection has been confirmed in multiple countries including China, Saudi Arabia, Turkey, and Malaysia.

Apple has released official patches addressing the vulnerabilities exploited by DarkSword and Coruna across iOS versions 13 through 18, including updates 15.8.7, 16.7.15, and 18.7.7. Users should promptly update their devices to the latest available iOS or iPadOS version. Enabling Background Security Improvements allows critical security fixes to be installed automatically, reducing exposure windows. Activating Lockdown Mode can further limit attack vectors by restricting device features. Regularly rebooting devices will remove fileless malware residing in memory. Storing sensitive data such as crypto wallet keys in encrypted vaults is recommended. Following these steps will mitigate the risk of infection and data compromise.