DarkSword Exploit Kit Targets Hundreds of Millions of iPhones Through Infected Websites

For years, the techniques used to hack iPhones were treated like rare specimens in the cybersecurity world — carefully deployed against a handful of high-value targets, almost never seen in the open. That changed on Wednesday when researchers at Google, iVerify, and Lookout jointly disclosed a powerful exploit kit called DarkSword that has been found embedded in dozens of websites, capable of silently compromising any iPhone running iOS 18 that simply visits an infected page Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

The discovery marks the second major iOS hacking toolkit to surface this month, following the Coruna exploit chain revealed on March 3. Together, the two tools paint a picture of a rapidly expanding market for mobile device exploits that were once the exclusive province of nation-state intelligence agencies Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

How DarkSword Works

DarkSword exploits vulnerabilities in Apple's previous operating system release, iOS 18, to take over devices through what security researchers call a drive-by attack. A user needs only to visit a compromised website using Safari — no clicks, no downloads, no interaction required. The exploit chain leverages multiple flaws in JavaScriptCore and the iOS kernel to break out of the browser sandbox and gain access to privileged system processes Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

What makes DarkSword particularly notable is its approach to data theft. Rather than installing persistent spyware that remains on a device, the tool uses fileless techniques more commonly associated with Windows malware. It hijacks legitimate system processes to harvest data within minutes of infection — an approach that Rocky Cole, iVerify's co-founder and COO, has described as a smash-and-grab operation. Once the phone reboots, the infection vanishes, leaving far fewer forensic traces than traditional spyware Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

According to Lookout, the data DarkSword targets is extensive: passwords, photos, message logs from iMessage, WhatsApp, and Telegram, browser history, calendar and notes data, health app information, and even cryptocurrency wallet credentials. The inclusion of crypto wallet data suggests the operators may have been supplementing their espionage work with financially motivated cybercrime Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

Scale of Exposure

The potential impact is substantial. While DarkSword does not affect the latest version of Apple's operating system, iOS 26, it works against devices running iOS versions 18.4 through 18.7. According to estimates from iVerify and Lookout based on public adoption data, between 220 million and 270 million iPhones worldwide still run vulnerable iOS versions Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wildired.com·UnverifiediPhone hacking techniques have sometimes been described almost like rare and elusive animals: Hackers have used them so stealthily and carefully against such a small number of hand-picked targets that they're only rarely seen in the wild. Now a recent spate of espionage and cybercriminal campaigns has instead deployed those same phone-takeover tools, embedded in infected websites, to indiscriminately hack phones by the thousands.. Apple's own figures from last month indicated that close to a quarter of all iPhones remain on iOS 18 Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

The relatively slow uptake of iOS 26 has compounded the problem. Apple's latest operating system release has faced criticism over its redesigned interface, including a liquid glass visual style that some users have found overly animated and harder to read. That dissatisfaction has kept a significant portion of the iPhone user base on older, now-exploitable software Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

Russian Spies, Turkish Surveillance Firms, and a Growing Market

Google's Threat Intelligence Group identified multiple distinct campaigns using DarkSword. The most prominent involved a suspected Russian state-sponsored espionage group that embedded the exploit in otherwise legitimate Ukrainian websites, including online news outlets and a government agency site, to harvest data from visitors' phones Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

But the Russian campaign was not the first use of DarkSword. Google also observed the tool being deployed against targets in Saudi Arabia, Turkey, and Malaysia. In the Turkish and Malaysian cases, Google's analysis indicated that customers of PARS Defense, a Turkish security and surveillance firm, appeared to have used the exploit. PARS Defense did not respond to requests for comment Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

The proliferation across multiple unrelated groups is precisely what concerns researchers. Justin Albrecht, who leads mobile threat intelligence at Lookout, noted that the emergence of iOS exploits being delivered through brokers with little discretion means there is now a functioning market that puts these tools within reach of cybercriminals who will use them without restraint Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

The Coruna Connection and the Exploit Broker Pipeline

DarkSword's appearance is closely linked to the earlier Coruna toolkit. Researchers at iVerify and Lookout found DarkSword hosted on the same servers used by the suspected Russian operators of Coruna. While Coruna targets older iOS versions 13 through 17, DarkSword covers the gap by targeting iOS 18, meaning the two tools together can potentially compromise iPhones running nearly any version of Apple's mobile operating system from the past several years Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

The connection raises questions about a common supply chain. TechCrunch previously reported that Coruna was created by Trenchant, a subsidiary of US government contractor L3Harris that develops hacking tools for American intelligence agencies. A former Trenchant employee, Peter Williams, pleaded guilty last year to selling the company's tools to a Russian broker firm called Operation Zero, which has since been sanctioned by the US government Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

While there is no confirmed link between DarkSword and Trenchant, the fact that both exploit kits ended up in the hands of the same Russian hacking group suggests they may share a common distribution channel. Operation Zero did not respond to requests for comment Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

Perhaps most alarming, iVerify co-founder and researcher Matthias Frielingsdorf noted that the Russian hackers who deployed DarkSword left the complete, unobscured source code on the compromised websites — including explanatory comments in English and the DarkSword name itself. Anyone who accessed those sites could have copied the code and deployed it on their own servers. Frielingsdorf characterized the situation as far too easy, noting that the code was thoroughly documented Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

Apple's Response and What Users Should Do

Apple has released security updates that address the vulnerabilities exploited by both DarkSword and Coruna, including emergency patches issued last week for older devices that cannot run iOS 26. An Apple spokesperson stated that keeping software up to date remains the most important step users can take to maintain the security of their devices. The company also noted that users who enable Lockdown Mode, Apple's strictest security setting, are protected against the exploit Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

Additionally, Apple said that all malicious domains identified by Google have been blocked through Apple Safe Browsing in the Safari web browser to prevent further exploitation Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wildired.com·UnverifiediPhone hacking techniques have sometimes been described almost like rare and elusive animals: Hackers have used them so stealthily and carefully against such a small number of hand-picked targets that they're only rarely seen in the wild. Now a recent spate of espionage and cybercriminal campaigns has instead deployed those same phone-takeover tools, embedded in infected websites, to indiscriminately hack phones by the thousands..

Security firms iVerify and Lookout have both confirmed that their mobile security applications can detect DarkSword infections in the form observed so far. However, the accessibility of the exploit code means new variants could emerge that evade current detection methods Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

A Shift in the Threat Landscape

The back-to-back disclosure of Coruna and DarkSword within a single month represents a significant shift in mobile security. iPhone exploits were previously so rare and expensive that they were treated almost as disposable only by the wealthiest intelligence agencies. The fact that DarkSword was deployed carelessly, with its source code exposed and no attempt at operational security, suggests that these tools have become cheap enough that operators feel comfortable burning them Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

Cole, the iVerify co-founder, summed up the new reality: the hackers who deployed DarkSword were not concerned about its discovery because they expect to simply acquire replacement exploits from the same market. The assumption that only journalists, activists, or politicians needed to worry about sophisticated iPhone attacks no longer holds Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..

For the estimated quarter of iPhone users still running iOS 18, the immediate advice is straightforward: update. Navigate to Settings, then General, then Software Update. The inconvenience of a new interface is a modest price for closing a vulnerability that state-sponsored hackers and cybercriminals alike are actively exploiting in the wild Researchers uncover iPhone spyware capable of penetrating millions of deviceschannelnewsasia.com·SecondaryFILE PHOTO: A person holds Apple’s new iPhone 17 series at an Apple store in Taipei, Taiwan, September 19, 2025. REUTERS/Ann Wang/File Photo March 18 : A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, researchers said on Wednesday..