Active zero‑click warnings
- Researchers and security posts warned about active zero‑click malware families targeting iPhones for silent data theft. ( ) - Social reporting named DarkSword and Coruna as examples and urged immediate patching on vulnerable devices. (x.com) - Posts said older iOS builds, including 18.4–18.7, were in scope, prompting enterprise defenders to prioritize updates. (x.com)
Security researchers are warning that active “zero-click” iPhone attacks can steal data without a tap, text reply, or app install. (kaspersky.com) A zero-click attack is the phone equivalent of a lock that opens when a booby-trapped message or web page arrives; the victim does nothing, and the code runs anyway. Citizen Lab documented that pattern in earlier iPhone spyware cases, including the 2023 BLASTPASS chain delivered through iMessage. (citizenlab.ca) The current warnings center on DarkSword and Coruna, two iPhone exploit kits described in March and April 2026 by researchers and security firms. PCMag reported that Google, Lookout, and iVerify said DarkSword was being used against iPhones on iOS 18.4 through 18.7. (pcmag.com) Apple’s own security bulletin says iOS 18.7.7 and iPadOS 18.7.7 were released on March 24, 2026, and that Apple expanded the update on April 1 so more devices with Automatic Updates could receive protections from web attacks called DarkSword. Apple also said the fixes tied to the DarkSword exploit first shipped in 2025. (support.apple.com) That timeline matters because older iOS 18 builds remained in circulation months after Apple had shipped fixes. Apple’s iOS 18.7 bulletin shows that branch first arrived on September 15, 2025, leaving a long tail of devices that enterprises and consumers may not have moved off quickly. (support.apple.com) Researchers say the attacks are built to move fast. Kaspersky said DarkSword can infect a device through a legitimate site that has been injected with malicious code, while Lookout, as quoted by PCMag, said one campaign stole targeted data within seconds or minutes and then cleaned up traces. (kaspersky.com; pcmag.com) The data at risk goes beyond photos and messages. Kaspersky said DarkSword can pull passwords, chat data from iMessage, WhatsApp, and Telegram, browser history, and information from Apple apps including Calendar, Notes, and Health, along with cryptocurrency wallet data. (kaspersky.com) This is not the first time Apple users have faced silent spyware delivery. Citizen Lab said Apple confirmed that a separate zero-click spyware attack used against journalists in early 2025 was mitigated in iOS 18.3.1 and assigned CVE-2025-43200. (citizenlab.ca) Apple’s public guidance in these cases is consistent: update quickly, because Apple does not fully discuss security issues until patches are available. For people who handle sensitive work, Citizen Lab has also urged enabling Lockdown Mode, which it said blocked the BLASTPASS attack. (support.apple.com; citizenlab.ca)
