Key Findings

• Apple is sending lock screen warnings to users with outdated iOS and iPadOS versions alerting them to active web-based exploits

• Exploit kits Coruna and DarkSword are actively targeting iOS versions 13 through 18.7, capable of stealing sensitive data through malicious links or compromised websites

• Users on iOS 13-14 must upgrade to iOS 15 and install critical security updates; iOS 15-16 devices received patches on March 11, 2026

• Coruna shares code similarities with the 2023 Operation Triangulation campaign, suggesting possible evolution of the same exploitation framework

• Devices on latest iOS versions and those using Lockdown Mode are protected, though updates remain strongly recommended

Background

Apple has begun deploying urgent lock screen notifications to iPhone and iPad users running outdated software versions. The alerts appear as "Critical Software" notifications from the Settings app and warn that Apple is aware of attacks targeting out-of-date iOS software. The notifications urge immediate installation of critical updates to protect device security and user data.

Active Exploit Kits Targeting Older Devices

Two primary threat actors are actively exploiting older iOS versions. Coruna targets iOS 13.0 through 17.2.1, while DarkSword focuses on newer versions running iOS 18.4 to 18.7. These exploit kits use malicious web content to trigger infection chains that can compromise device security without requiring complex user interaction. Simply clicking a malicious link or visiting a compromised website on an unpatched device could allow attackers to steal sensitive data including credentials, messages, and personal information.

Protection Recommendations by iOS Version

Users on iOS 13 or 14 have the most limited protection window and must take immediate action to upgrade to at least iOS 15 and then install the critical security update released on March 11, 2026. Devices already running iOS 15 or iOS 16 received protection patches that same date. Those on iOS 17 and later are protected through the latest available updates for their version. Apple notes that Safari's Safe Browsing feature provides additional protection by blocking known malicious domains by default across all supported versions.

Connection to Operation Triangulation

Kaspersky researchers recently identified strong code similarities between the Coruna exploit kit and the 2023 Operation Triangulation campaign. Both campaigns use the same kernel exploit framework, suggesting Coruna represents an advanced evolution rather than a simple repurposing of older tools. The Coruna kit includes four additional kernel exploits beyond the Triangulation code, some developed after the original campaign. While code similarities don't definitively prove the same threat actors are responsible for both operations, the sophisticated reuse of their exploitation framework indicates serious actor capability and persistence.

Additional Protection Measures

Lockdown Mode provides meaningful protection against these attacks even on older iOS versions, though Apple emphasizes that staying current with the latest software remains the most effective defense. Devices running current iOS versions are not vulnerable to either exploit kit. Users should prioritize updating their devices rather than relying solely on Lockdown Mode, as this blocks only the specific attack vectors currently known.

Sources

• https://securityaffairs.com/190109/security/apple-issues-urgent-lock-screen-warnings-for-unpatched-iphones-and-ipads.html

• https://www.instagram.com/p/DWa5L7kDjS0/

• https://www.instagram.com/p/DWZW8K5j-kE/

• https://www.facebook.com/andrew.strutt/photos/apple-is-now-sending-lock-screen-notifications-to-iphones-and-ipads-running-olde/10174391761435372/