Exploit kits on compromised sites

Visiting a hacked website on an iPhone has again become enough to trigger serious attacks, according to March 2026 research on two exploit kits called Coruna and DarkSword. (securityweek.com) An exploit kit is a packaged set of software bugs that turns a website visit into device access, much like a lockpick set built for a specific phone model. Security researchers said Coruna targeted 23 flaws in iOS 13 through 17.2.1, while DarkSword targeted six flaws and could fully compromise a device with little or no user interaction. (securityweek.com) Researchers said both kits were delivered through “watering hole” attacks, a tactic where attackers compromise legitimate sites their targets already visit instead of luring them to a fake page. Google Project Zero used the same term in a 2019 write-up on hacked websites that attacked iPhone visitors automatically. (bleepingcomputer.com, googleprojectzero.blogspot.com) The recent reports tied the campaigns to compromised Ukrainian websites tied to e-commerce, industrial equipment and local services, broadening exposure beyond a single phishing email or malicious app. SecurityWeek reported that Coruna was described as the first mass-exploitation kit targeting iPhones, and that DarkSword shared infrastructure with it. (bleepingcomputer.com, securityweek.com) The attribution in public reporting points to a Russia-linked espionage cluster tracked as UNC6353, with DarkSword also seen in activity linked to a commercial surveillance vendor tracked as UNC6748. The Record said DarkSword was used against Ukrainian users, and SecurityWeek said related activity also hit targets in Saudi Arabia, Turkey and Malaysia. (therecord.media, securityweek.com) Apple’s response has centered on patches rather than public detail about the campaigns. Apple said iOS 18.7.7 and iPadOS 18.7.7, released March 24, 2026 and expanded to more devices on April 1, 2026, carried protections from web attacks called DarkSword, and said some fixes had first shipped in 2025. (support.apple.com) Apple also published a plain-language advisory telling iPhone users to update, saying iOS 15 and iOS 16 devices received protections on March 11, 2026 and that devices on iOS 13 or iOS 14 must move to iOS 15 to get them. The company said users with older iOS 18 versions would receive an additional alert to install a critical security update. (support.apple.com) United States civilian agencies got a firmer deadline. BleepingComputer reported that the Cybersecurity and Infrastructure Security Agency ordered federal agencies to patch DarkSword-related iOS flaws after adding them to its Known Exploited Vulnerabilities catalog. (bleepingcomputer.com) The practical change for iPhone owners is that ordinary browsing sessions now sit closer to the attack path than a text message or attachment. In both the 2019 Project Zero case and the 2026 DarkSword and Coruna reporting, the common step was simple: a victim visited a legitimate site that had already been compromised. (googleprojectzero.blogspot.com, securityweek.com)