Apple just dropped a major warning that’s got cybersecurity experts genuinely freaked out. It turns out that Russian intelligence agencies, Chinese cybercriminals, and other hackers have been weaponizing sophisticated tools called DarkSword and Coruna to break into iPhones running outdated software. And if you’ve been putting off that iOS update? Yeah, this is why you shouldn’t do that.

Research from Google and cybersecurity firms iVerify and Lookout revealed that these exploit kits are basically digital skeleton keys for iPhones. Once hackers get in, they can access everything, your text messages, call history, Wi-Fi passwords, location data, browser history, health information, and more. It’s a full-on surveillance nightmare.

The sketchy part? These attacks are sneakier than you’d think. Hackers deploy what’s called “watering hole” attacks, where they compromise or create websites that automatically infect your phone just by visiting them. You don’t need to download anything sketchy or click a weird link. Just visiting the wrong website can potentially compromise your device if you’re running older iOS versions.

The good news is that Apple’s latest operating system, iOS 26, which dropped in September, protects against both of these hacking campaigns. But here’s the catch: not everyone can upgrade to the newest version. That’s why Apple took the unusual step of releasing a special security update last week specifically for older devices that can’t handle a full iOS 26 upgrade. This is Apple basically saying, “Even if you’re stuck on older software, at least download this patch”.

So who’s actually being targeted? Ukrainians have been hit by Russian intelligence operations. Chinese cryptocurrency users are being targeted with fake financial websites designed to steal their crypto. People in Saudi Arabia, Turkey, and Malaysia have also been affected. While Americans haven’t been reported as targets yet, John Scott-Railton, a researcher at Toronto’s Citizen Lab, made it clear that anyone with outdated iOS could theoretically become a victim. He called the situation serious, noting that “the barrier to entry for widespread, devastating mobile attacks has been decisively lowered”.

Here’s the wild part: one of these tools, Coruna, has a genuinely shocking origin story. A former executive at defense contractor L3Harris literally sold his company’s hacking tools to Russian brokers and got sentenced for it. That same tool eventually ended up in the hands of Chinese cybercriminals by December.

The bottom line? Having an iPhone alone isn’t enough protection anymore. You need to actually keep your software updated. It sounds boring, but it’s literally the most important thing you can do to keep your phone secure. So go update your phone. Like, right now.