Cybercriminal groups are deploying advanced spyware tools originally designed for government surveillance to hack iPhones, according to new research from Google, iVerify, and Lookout. Two separate campaigns have been identified exploiting iPhone vulnerabilities to steal personal data from unsuspecting users. The attacks require no user interaction, automatically infecting devices that visit compromised websites.
The shift represents a significant escalation in cyber threats, as military-grade surveillance tools migrate from state-sponsored operations to criminal enterprises. These tools can extract virtually all data from infected devices, including encrypted messages from WhatsApp and Telegram, location information, and browsing history. The transition democratizes sophisticated hacking capabilities previously available only to well-funded government agencies.
Researchers identified two distinct toolkits in recent campaigns. Coruna, originally built by defense contractor L3Harris for the U.S. government, was discovered being used by Chinese cybercriminals on fake cryptocurrency platforms. DarkSword, linked to Russian hackers, has been targeting visitors to Ukrainian news and government websites as part of watering hole attacks that automatically infect devices.
The discovery of unobscured JavaScript code for DarkSword on servers means even low-skilled cybercriminals can now copy and deploy these tools against broader targets. This proliferation could lead to a surge in sophisticated iPhone attacks affecting ordinary users rather than just high-value government or corporate targets. Apple has reportedly patched the underlying vulnerabilities, though the company's response was cut off in the source material.