TL;DR

  • On March 27, 2026, Apple sent Lock Screen alerts to iPhones and iPads running iOS 13 through 17.2.1 and certain iOS 18 builds, warning of active web-based attacks.
  • Two exploit kits are in play: Coruna (targeting older iOS, linked to espionage and crypto theft) and DarkSword (targeting iOS 18.4–18.7, publicly leaked March 23, 2026).
  • These are zero-click attacks — a user does not have to tap anything; simply loading a compromised webpage is enough for the exploit to run.
  • The fix is straightforward: update iOS immediately. Lockdown Mode provides an additional layer of protection for high-risk individuals.

What Did That Apple Lock Screen Alert Actually Mean?

If you or someone on your team saw an unusual notification on their iPhone lock screen on March 27, 2026, it was not spam. Apple pushed a system-level alert reading:​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌‌​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌

"Apple is aw

are of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone."

Apple has now sent spyware-related threat notifications to users in more than 150 countries [1]. This one was different in scope: it targeted a broad population of iPhones running iOS 13 through 17.2.1, as well as specific builds of iOS 18 (versions 18.4 through 18.7). The urgency was warranted. Researchers had identified two distinct exploit kits actively circulating in the wild.​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌‌​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌

What Are the Coruna and DarkSword Exploit Kits?

Coruna is the more complex of the two. Researchers at Kaspersky's GReAT team identified it as a direct evolution of Operation Triangulation, a sophisticated Russian espionage campaign disclosed in 2023. Boris Larin of Kaspersky GReAT explained the problem plainly: "After we discovered and disclosed the Triangulation chain, Apple patched these vulnerabilities and backported fixes as far back as iOS 15.7.x. But many users simply don't update, and Coruna contains 23 exploits across five chains" [6].

The kit first appeared in July 2025, deployed by a Russian-linked threat group (tracked as UNC6353) against Ukrainian websites. By December 2025, a separate, financially motivated Chinese group (UNC6691) began using Coruna against fake finance and cryptocurrency sites, with a specific focus on draining crypto wallets from apps including MetaMask, Exodus, Bitget, and Base [5].

DarkSword is newer and in some ways more alarming for its speed of proliferation. It targets iOS 18.4 through 18.7 and was publicly leaked around March 23, 2026 — just days before Apple's lock screen alerts went out [3]. The fact that a kit targeting a relatively recent iOS version leaked into wide circulation so quickly is a signal that the exploit market has changed.

Security researcher Justin Albrecht of Lookout described the underlying dynamic: "This isn't a one-time event, but rather a sign of things to come." A thriving secondary market for exploit code means developers can get "paid twice for the same exploit" — once when they sell it to an initial buyer, and again when it leaks or is resold [7].

How Does a Zero-Click Web Attack Actually Work?

This is the detail that matters most for business owners. These attacks do not require a phishing link that someone clicks, a malicious attachment that gets opened, or any interaction at all beyond a browser loading a page.

Researchers at web security firm c/side analyzed the delivery mechanism in detail. Simon Wijckmans described it this way: "The iframe has zero dimensions. It is invisible. It requires no user interaction beyond the page loading. The exploit runs entirely in the browser, in JavaScript, and completes in seconds" [9].

An invisible <iframe> element — a standard HTML tag used legitimately across the web — is embedded in any compromised page. When the browser loads that page, the exploit runs silently in the background. Researchers identified more than 50 domains used to deliver the payload. The malware families associated with these campaigns are tracked as PlasmaLoader and PLASMAGRID [5].

The practical implication: an employee browsing a business directory, a local restaurant's website, or a seemingly legitimate finance resource on an unpatched iPhone could trigger an attack without any warning and without doing anything wrong.

Which iPhones Are Affected and What Has Apple Done?

The vulnerable range is wide:

  • iOS 13 through 17.2.1: Vulnerable to the Coruna exploit kit.
  • iOS 18.4 through 18.7: Vulnerable to the DarkSword exploit kit.

Apple released patches for iOS 15.8.7 and iOS 16.7.15 on March 11, 2026 — ahead of the public lock screen notification campaign [8]. Patches for affected iOS 18 builds were part of the same update cycle.

For context, Apple's developer data shows approximately 74% of active iPhone users are already on iOS 18. That leaves a meaningful portion of the installed base — running older devices or simply having postponed updates — exposed to Coruna.

What Should Business Owners Do Right Now?

The good news: the remediation steps are clear and free.

Update every work-related iPhone and iPad today. Go to Settings > General > Software Update. If your device can run iOS 18.4 or later — and for most devices sold in the last four years, it can — install it. For older devices that cannot reach iOS 18, install the latest available update immediately (iOS 15.8.7 or iOS 16.7.15 at minimum) [8].

Enable automatic updates. Under Settings > General > Software Update > Automatic Updates, turn on both "Download iOS Updates" and "Install iOS Updates." This removes the update lag that exploit kit developers count on.

Consider Lockdown Mode for high-risk users. If your business handles sensitive financial data, legal matters, or anything that makes you a meaningful target, Lockdown Mode is worth evaluating. Apple stated: "We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device" [4]. Security researcher Patrick Wardle called it "one of the most aggressive consumer-facing hardening features ever shipped." Lockdown Mode does restrict some functionality — certain web features, link previews, and connection types are limited — but for executives and finance team members, the tradeoff is worth reviewing.

Audit your device inventory. If you manage phones for a team, now is the time to confirm every device is on a supported, patched iOS version. Mobile Device Management (MDM) tools can surface this information quickly. If you do not have visibility into your team's device versions, that gap is worth closing.

Do not assume "I don't visit sketchy sites" is protection. Legitimate websites get compromised. The 50+ delivery domains identified in this campaign were not all obviously malicious destinations [9]. Browsing hygiene matters, but it is not a substitute for patching.

FAQ

Q: I got the Apple lock screen alert. Does that mean I was already hacked? No. The alert means your device is running a version of iOS that is known to be vulnerable to active attacks. It is a warning, not a confirmation of compromise. Update your device immediately and you will eliminate the known attack surface.

Q: My iPhone is too old to run iOS 18. Am I out of options? Not entirely. Apple backported patches to iOS 15.8.7 and iOS 16.7.15. If your device supports either of those versions, install the update. If your device cannot receive any further updates, it is time to plan for a hardware replacement — running an end-of-support device on a business network is an ongoing liability.

Q: Does this affect iPads too? Yes. The same iOS versions on iPads (running iPadOS) carry the same vulnerabilities. The update guidance applies equally to iPads used for business.

Q: What is Lockdown Mode and will it break my phone? Lockdown Mode is an optional, opt-in feature found under Settings > Privacy & Security > Lockdown Mode. It blocks many of the browser and connectivity features exploit kits rely on. Some apps and websites may behave differently, and certain message attachment types are blocked. For most standard business use — email, calls, messaging, documents — the impact is manageable. For users who handle particularly sensitive data, it is a strong protective measure.

Q: How do I know if my device was compromised before I updated? Signs of compromise can include unusual battery drain, unexpected data usage, apps you did not install, or sluggish performance. However, sophisticated spyware is designed to be silent. If you have reason to believe a device was compromised, consult a security professional rather than attempting to self-diagnose.

Keeping the devices your business runs on patched and configured correctly is one of the highest-return security investments available. These alerts are a reminder that the window between a patch release and an active exploit campaign continues to compress.

If you want a second set of eyes on your team's device security posture, we can help.

Get a device security consultation

References

[1] R. Lakshmanan, "Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits," The Hacker News, Mar. 27, 2026. [Online]. Available: https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html

[2] H. Charlton, "Apple Now Sending Critical Security Alerts to iPhones Running iOS 17 and Earlier," MacRumors, Mar. 27, 2026. [Online]. Available: https://www.macrumors.com/2026/03/27/critical-security-alerts-sent-to-ios-17-iphones/

[3] L. Franceschi-Bicchierai, "Apple made strides with iOS 26 security, but leaked hacking tools still leave millions exposed to spyware attacks," TechCrunch, Mar. 26, 2026. [Online]. Available: https://techcrunch.com/2026/03/26/apple-made-strides-with-ios-26-security-but-leaked-hacking-tools-still-leave-millions-exposed-to-spyware-attacks/

[4] L. Franceschi-Bicchierai, "Apple says no one using Lockdown Mode has been hacked with spyware," TechCrunch, Mar. 27, 2026. [Online]. Available: https://techcrunch.com/2026/03/27/apple-says-no-one-using-lockdown-mode-has-been-hacked-with-spyware/

[5] R. Lakshmanan, "Coruna iOS Exploit Kit Uses 23 Exploits Across 5 Chains," The Hacker News, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

[6] Kaspersky GReAT, "Coruna: Evolution of Operation Triangulation," Kaspersky, Mar. 2026. [Online]. Available: https://www.kaspersky.com/about/press-releases/2026_coruna-ios-exploit-kit

[7] Lookout, "iOS Exploit Kit Market Analysis," Lookout Security, Mar. 2026. [Online]. Available: https://www.lookout.com/threat-intelligence/ios-exploit-kit-market-2026

[8] Apple Inc., "Apple security updates," Apple Support, Mar. 2026. [Online]. Available: https://support.apple.com/en-us/111900

[9] c/side, "Hidden iFrame iOS Exploit Delivery Analysis," c/side Research, Mar. 2026. [Online]. Available: https://cside.dev/blog/coruna-darksword-iframe-analysis

[10] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

TL;DR

  • Apple sent an urgent warning to millions of iPhones on March 27, 2026, telling users to update immediately.
  • Two hacking toolkits called Coruna and DarkSword can silently break into older iPhones just by loading a webpage.
  • No tapping or clicking is required — the attack runs the moment a page loads.
  • The fix is free and takes five minutes: Settings > General > Software Update.

What Actually Happened?

Imagine your school locker has a broken lock. You might not notice, but someone who knows about it could open it while you are in class, not watching. On March 27, 2026, Apple sent a message to every phone with that broken lock saying: "Your lock is broken. Here is a new one. Please install it today."

That warning was real. Apple pushed a message directly to the lock screens of iPhones running older software [1] [2]. The phones were vulnerable to active attacks already happening in the wild.

How Can a Website Attack a Phone Without Any Clicking?

This is the surprising part. Normally you think: "I would never click a suspicious link." But these attacks do not need a click at all.

Think of it like a mousetrap. The mouse just has to walk into the room — it does not do anything special. When your browser loads a webpage, there is a tiny invisible box hiding in the page. It has no size. You cannot see it. The moment the page loads, the attack code runs automatically, and it is finished in seconds [9].

This means visiting any compromised website — a restaurant, a news page, a business listing — could be enough.

Who Was Behind This?

There are two separate toolkits involved. Coruna has 23 different attack methods and grew out of tools originally built by Russian-linked spies. A separate group later used it to steal cryptocurrency from phones [5] [6]. DarkSword targets newer iPhones (iOS 18.4–18.7) and leaked publicly just days before Apple sent the warnings [3].

Security researchers noted that a "second-hand" market for hacking tools now lets attackers get "paid twice for the same exploit," making these kinds of leaks more common [7].

What Should You Do Right Now?

  1. Open Settings on your iPhone or iPad.
  2. Tap General, then Software Update.
  3. Install whatever update is available.
  4. Turn on Automatic Updates so it stays current on its own.

For people who handle sensitive work information, turning on Lockdown Mode (Settings > Privacy and Security > Lockdown Mode) adds extra protection. Apple reports no device using Lockdown Mode has been successfully attacked by spyware [4].

Need help checking your team's devices?

Book a free device security check

FAQ

Q: Is the message Apple sent to my phone real, or is it a scam? It is real. Apple sent these warnings through the iPhone notification system on March 27, 2026. You can verify your iOS version in Settings > General > About and check it against Apple's security update page [8].

Q: I updated my phone a few months ago. Am I still at risk? It depends on which version you have. If you are on iOS 18.4 through 18.7 or anything older than iOS 18, check Settings > General > Software Update and install the latest available version.

Q: My phone is old and cannot update past iOS 15. What do I do? Apple released iOS 15.8.7, which includes patches for these attacks [8]. Install that update. If your device cannot receive any updates, plan to replace it — an unsupported device used for work is an ongoing risk.

Q: Can I tell if my phone was already attacked? Signs include faster-than-normal battery drain, unexpected app installs, or high data usage. However, serious spyware is designed to be invisible. If you are concerned, a security professional can run a proper check.

References

[1] R. Lakshmanan, "Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits," The Hacker News, Mar. 27, 2026. [Online]. Available: https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html

[2] H. Charlton, "Apple Now Sending Critical Security Alerts to iPhones Running iOS 17 and Earlier," MacRumors, Mar. 27, 2026. [Online]. Available: https://www.macrumors.com/2026/03/27/critical-security-alerts-sent-to-ios-17-iphones/

[3] L. Franceschi-Bicchierai, "Apple made strides with iOS 26 security, but leaked hacking tools still leave millions exposed to spyware attacks," TechCrunch, Mar. 26, 2026. [Online]. Available: https://techcrunch.com/2026/03/26/apple-made-strides-with-ios-26-security-but-leaked-hacking-tools-still-leave-millions-exposed-to-spyware-attacks/

[4] L. Franceschi-Bicchierai, "Apple says no one using Lockdown Mode has been hacked with spyware," TechCrunch, Mar. 27, 2026. [Online]. Available: https://techcrunch.com/2026/03/27/apple-says-no-one-using-lockdown-mode-has-been-hacked-with-spyware/

[5] R. Lakshmanan, "Coruna iOS Exploit Kit Uses 23 Exploits Across 5 Chains," The Hacker News, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

[6] Kaspersky GReAT, "Coruna: Evolution of Operation Triangulation," Kaspersky, Mar. 2026. [Online]. Available: https://www.kaspersky.com/about/press-releases/2026_coruna-ios-exploit-kit

[7] Lookout, "iOS Exploit Kit Market Analysis," Lookout Security, Mar. 2026. [Online]. Available: https://www.lookout.com/threat-intelligence/ios-exploit-kit-market-2026

[8] Apple Inc., "Apple security updates," Apple Support, Mar. 2026. [Online]. Available: https://support.apple.com/en-us/111900

[9] c/side, "Hidden iFrame iOS Exploit Delivery Analysis," c/side Research, Mar. 2026. [Online]. Available: https://cside.dev/blog/coruna-darksword-iframe-analysis

[10] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation