Apple has begun displaying critical system alerts directly on the lock screen of iPhone and iPad devices running outdated versions of iOS and iPadOS. These prominent warnings inform users that their software is being actively targeted by real-world attacks delivered through malicious web content and urge them to install security updates immediately.
What Apple’s Lock Screen Security Warning Means for iPhone and iPad Users
On devices with long-unpatched or unsupported iOS versions, users may now see a message stating: “Apple is aware of attacks targeting outdated iOS software, including the version on your iPhone. Install this critical update to protect your device.” The fact that this notice appears above the lock screen, rather than as a regular notification, underscores the high priority and severity of the threat for the Apple ecosystem.
Shortly before these alerts began rolling out, Apple published a dedicated support document advising owners of older iOS and iPadOS builds to update as soon as possible. The trigger for this unusual step is the discovery and active exploitation of two advanced iOS exploit kits, Coruna and DarkSword, used in drive‑by attacks via compromised or malicious websites.
Coruna and DarkSword: Advanced iOS Exploit Kits Targeting Web Browsers
An exploit kit is a toolset that bundles multiple exploits and automates the process of compromising a device. When a victim simply visits a booby‑trapped or hacked website, the kit probes the device for known vulnerabilities and, if successful, executes code without any further user interaction.
According to security researchers, the Coruna exploit kit focuses on a wide swath of iOS versions, roughly from iOS 13.0 through 17.2.1. The DarkSword kit is designed to target newer releases, reportedly affecting versions around iOS 18.4 to 18.7. Over the past year, various threat actors—from financially motivated cybercriminals to more sophisticated groups—have used these kits to deliver malware loaders, spyware, and surveillance tools directly through the browser.
Links Between Coruna and the Operation Triangulation Spyware Campaign
Security vendor Kaspersky has associated Coruna with the previously exposed espionage campaign known as Operation Triangulation, disclosed in mid‑2023. That operation relied on complex zero-click iMessage exploits, enabling attackers to compromise iPhones without any user action, purely by sending specially crafted messages.
Researchers emphasize that Coruna is not merely a collection of public exploits. Instead, it appears to be an evolution of the original Operation Triangulation framework, actively maintained and systematically upgraded. This level of engineering effort and continuity suggests that the developers have resources and expertise comparable to state-sponsored or quasi‑state actors, rather than ad‑hoc criminal groups.
Secondary Zero-Day Markets and the “Democratization” of iOS Attacks
It remains unclear how both Coruna and DarkSword ended up in the hands of multiple, unrelated threat groups. Ongoing research in cybersecurity points to the likely existence of a secondary market for zero-day and one-day exploits, where high-value vulnerabilities—initially developed for intelligence agencies or commercial spyware vendors—are later resold or repurposed for broader criminal use.
The emergence of these exploit kits, alongside reports of leaks and newer DarkSword iterations, fuels concern among experts: capabilities once reserved for nation-states are gradually diffusing to a wider range of actors. This trend significantly increases the risk of large-scale, opportunistic attacks against iPhone and iPad users, and makes mobile devices a much more attractive and vulnerable target.
How to Protect iPhone and iPad from Coruna, DarkSword, and Similar Threats
The single most important defense is to install all available iOS or iPadOS updates without delay. This is critical for devices that have not been updated for a long time or that are running versions no longer supported by Apple. Ignoring Apple’s lock screen alerts in the current context effectively means accepting a known, elevated risk of compromise.
For users who cannot upgrade to the latest iOS due to hardware limitations, Apple recommends enabling Lockdown Mode where available (introduced in iOS 16 and later). Lockdown Mode is designed for high-risk users and significantly reduces the attack surface by restricting potentially dangerous content, limiting advanced browser features, blocking certain message attachments and link previews, and disabling functions commonly abused in sophisticated targeted campaigns.
Apple has publicly stated that it is not aware of any successful spyware attack against a device with Lockdown Mode enabled. This makes Lockdown Mode a particularly important safeguard for journalists, human rights defenders, executives, staff in critical infrastructure, and anyone who may be singled out by advanced threat actors.
Additional recommended measures include enabling automatic updates, avoiding untrusted configuration profiles, and not jailbreaking devices, as jailbreaks dramatically increase the attack surface. Organizations should monitor mobile device posture via Mobile Device Management (MDM) solutions and apply security patches promptly as part of their standard vulnerability management processes.
The ongoing Coruna and DarkSword campaigns illustrate that even Apple’s tightly controlled ecosystem is now a regular target for highly automated, scalable, and sophisticated attacks. Prompt OS updates, attention to Apple’s system warnings, and, where appropriate, activation of Lockdown Mode are essential steps every iPhone and iPad owner can take today. The faster individuals and organizations adopt basic mobile security hygiene, the harder it becomes for attackers to turn newly discovered iOS vulnerabilities into weapons for mass exploitation.
