Risky Bulletin — Between Two Nerds: "It's Raining iOS Exploit Kits!"

Podcast: Risky Bulletin (Risky Business Media)
Episode: Between Two Nerds: It's raining iOS exploit kits!
Date: March 23, 2026
Hosts: Tom Uren & The Gruk

Overview

In this episode, hosts Tom Uren and The Gruk examine two major iOS exploit kits found in the wild—Karuna and Dark Sword—as reported by Google and other cybersecurity vendors. They explore their technical sophistication, real-world deployment, and implications for iOS security. The discussion emphasizes the careful, multi-phase “life cycle” of high-end exploits and what this means (and doesn’t mean) for the typical iOS user.

Main Discussion Points & Insights

1. Recent Waves of iOS Exploit Kits ([00:10]–[01:28])

• Karuna Exploit Kit:
  • Found to be a highly sophisticated, multi-year exploit originating from a defense contractor with strong Australian ties.
  • Described as “top notch exploit engineering and a very capable set of truly world class” — Tom Uren ([00:42]).
• Dark Sword Exploit Kit:
  • A more recent kit, less capable and less wide-ranging in version coverage than Karuna.
  • Seen as a lower quality, “knockoff” by comparison — The Gruk quips, “Don’t settle for knockoffs, you don’t know what you’re getting. Buy Australian, have the 'Made in Australia' sticker on it.” ([01:12])

2. Does This Mean iOS Security Has Collapsed? ([01:28]–[02:31])

• Both hosts debunk the idea of a sudden collapse in Apple device security.
• The Gruk: “You listen to [the Karuna deep dive] and you don’t go, like, oh, I guess everyone’s going to be doing this now.” ([02:08])
• It's instead evidence of long-term, high-investment, nation-state-level attack development.

3. The Life Cycle of High-End Exploit Kits ([02:31]–[06:45])

• Initial buyers (often nation-states, e.g. Five Eyes governments) use the exploit kit with extreme caution for high-value specific targets to justify million-dollar costs.

• As the exploits age out (i.e., patched or become less relevant):

  • Kits are sold to progressively less sophisticated or less careful attackers—e.g., Russian groups, then ultimately crypto-criminals.
  • Tom Uren: “Once it had aged out and it was no longer as useful to a state, the seller was probably looking at how can I squeeze a last little bit of value out of this depreciating asset?” ([05:13])

• Economic Model:

  • High prices for nation-states, then “fire sale” leftovers for criminals ($200K as opposed to millions).
  • Cruder operators (crypto criminals) then use the kit indiscriminately, ultimately causing exposure and leading to patches and detection.

4. From Targeted Attacks to Broad Criminal Use ([06:45]–[09:23])

• Crypto criminals used watering hole attacks to capture high-value assets like wallet passphrases.
• Tom Uren: “I can’t think of a better way to turn an exploit into money directly.” ([06:45])
• Karuna represents the “AAA game” in exploit kits—top-tier, heavily engineered.

5. The Dark Sword Exploit Kit: Less Sophisticated, More Accessible ([07:30]–[14:00])

• Saw use by several unrelated groups:
  • Saudi Arabian users were targeted through a Snapchat-themed website.
  • Turkish commercial surveillance vendor (Pars Defense) deployed it in Turkey and Malaysia with more operational security and customizations.
  • Russian state hackers used it to target Ukrainian users, geofencing attacks and leveraging compromised Ukrainian government-themed sites.
• Each group customized the “bare bones” kit differently; e.g., Turkish operators added encryption, operational security features; Russians did little customization but added more data theft features.

6. Notable Failures and Quirks in Attacker OpSec ([13:00]–[15:13])

• Lack of geofencing by some buyers led to earlier detection by researchers.
• Kit came with readable source code, including telling JavaScript file names like rcemodule.js (RCE Module), SBX0 (Sandbox Escape), and PELoader (Privilege Escalation Loader).
  • The Gruk (joking): “There's probably just going to be a lot of false positives because you're going to hit react container element all the time.” ([15:13])
• Rawness of some implementations highlights the difference in professionalism and threat level between buyers.

7. Capabilities of the Implants ([16:03]–[17:04])

• State groups (especially Russian attackers) aimed for broad data theft:
  • WhatsApp, SMS, call logs, contacts, browser state, cookies, photos, health data, device identifiers.
  • Extensive targeting of crypto apps: Coinbase, Ledger, Metamask, Bread Wallet, and more ([16:41]).
• Tom Uren: “I presume this is just the Russian state hackers going, ‘oh, well, I'm doing a bit of hacking, I may as well make some money on the side, I suppose.’” ([17:04])
• The Gruk: “This is what happens when your recruitment pool includes a lot of people with a criminal background.” ([17:16])

8. Operational Choices: JavaScript-Only Implants ([18:19]–[19:52])

• Russian kit ran entirely in the browser (JavaScript), never persisted, grabbed data, sent it out, then exited.
• Good operational security: avoid long-term device infection, harder detection.
  • The Gruk: “It’s incredibly light touch. Except that it isn’t.” ([19:12])
  • Tom Uren: “Once you have their authentication tokens, who cares what they do afterwards? You’re better off not leaving traces...” ([19:52])

9. Implications for Everyday Users ([20:56]–[22:21])

• Key Takeaways:

  • If you update your iOS device promptly, you're likely safe from these particular exploit kits.
  • Lockdown Mode offers additional protection.
  • Main targets are outdated devices and high-value targets (crypto wallet holders, government, journalists).
  • The Gruk: “If you update within the first few days of the update becoming available, I think you would have been safe from all of these.” ([20:56])
  • Don’t store sensitive crypto wallet credentials on your phone.
    • “If you have a crypto phrase, perhaps don’t take a photo of it and store it in your phone. That’s the big picture take-home message.” — Tom Uren ([22:12])
  • The Gruk: “The big picture take-home message is: update your iOS and forget about this.” ([22:21])

• For Between Two Nerds listeners (“the elite of the cyber policy world”), the risks are minimal if good practices are followed.

10. Only Real Worry? The Unseen, Not These Kits ([22:45]–[23:18])

• The Gruk: “I wouldn’t worry about this sort of kit, I’d worry about current ones, which—the ones we don’t know about.”
• Ongoing risk is always the then-unknown, best-in-class exploits that remain undetected.

Notable Quotes & Memorable Moments

• On exploit quality:
  “Don’t settle for knockoffs, you don’t know what you’re getting. Buy Australian, have the ‘Made in Australia’ sticker on it.” — The Gruk ([01:12])

• On attackers' ROI:
  “If you’re paying millions of dollars for something, you want to use it for things that justify that expense.” — The Gruk ([03:17])

• On the exploit resale life cycle:
  “You sell it for big money to people who will pay big money, when they get to a point where they're no longer going to buy it... the crypto wallet guys will be like, look, I'll give you $200,000 for it.” — The Gruk ([05:54])

• On operational choices:
  “There’s probably just going to be a lot of false positives because you’re going to hit react container element all the time.” — The Gruk ([15:18])

• On Russian hackers customizing implants:
  “This is what happens when your recruitment pool includes a lot of people with a criminal background.” — The Gruk ([17:16])

• On practical security:
  “If you update within the first few days of the update, I think you would have been safe from all of these.” — The Gruk ([20:56])

• On biggest takeaway:
  “The big picture take home message is: update your iOS and forget about this.” — The Gruk ([22:21])

Timeline of Important Segments

• [00:10] — Episode intro and introduction to iOS exploit kits
• [01:12] — Humor on "Made in Australia" exploits; comparisons of kit quality
• [02:31] — Discussion on careful, high-value use of expensive exploit kits
• [03:52] — Operational and economic logic behind exploit kit resale
• [06:45] — Watering hole attacks and direct monetization via crypto theft
• [07:30] — Introduction to Dark Sword and its multiple buyers
• [09:23] — Geofencing and operational security in targeted exploitation
• [13:44] — Turkish surveillance vendor’s customizations
• [16:03] — Enumeration of implant and data theft capabilities
• [18:19] — Innovations (and quirks) of JavaScript-only “light touch” attacks
• [20:56] — Guidance for everyday users: update and use Lockdown Mode
• [22:12] — Crypto wallet security takeaway
• [22:45] — Only real worry is the exploits not yet discovered

Final Thoughts

This episode gives an expert-level but accessible walkthrough of how nation-state iOS exploit kits appear, spread, and eventually reach wider criminal distribution. Despite the “flood” of recent disclosures, your own risk remains low if you update your device promptly and don’t store sensitive crypto credentials on your phone. The real danger is always one step ahead: as Tom and The Gruk wryly note, it’s the exploits we don’t yet know about.

End of Summary