Risky Bulletin Between Two Nerds: Its raining iOS exploit kits!
Mar 23, 2026
The Grugq, a security researcher known for analyses of threat actor tradecraft, breaks down recent iOS exploit kit sightings. He discusses why top-tier exploits stay hidden. He explains resale and abuse of older tools. He explores geofenced targeting and operator tweaks that add crypto-theft. Practical advice on updating iOS and using Lockdown Mode is also covered.
AI Snips
Chapters
Transcript
Episode notes
Top Tier Exploits Are Carefully Conserved Nation State Tools
- High-end iOS exploit kits are bespoke nation-state tools with exceptional engineering quality.
- Karuna was top-tier, likely sold originally to governments and used sparingly with strong OPSEC, which kept it undetected for years.
Exploit Value Depreciates And Increases Operational Risk
- Exploit kits age and get resold down a buyer chain until lower-budget operators burn them quickly.
- Karuna passed from high-value buyers to criminals who used it widely against crypto targets, exposing the kit to detection.
Same Kit, Multiple Customers With Different Skill Levels
- Multiple customers used Dark Sword with varying sophistication, from crude deployments to customized stealthy variants.
- Google, iVerify and Lookout found at least three different customer campaigns (Saudi, Turkish vendor, Russian), showing diverse usage.