Critical iOS Security Flaw in Versions 18.4 to 18.6.2 Exploited by Russian Hackers

A newly uncovered cybersecurity threat has forced Apple to issue emergency software updates for older iPhone models after Russian state-sponsored hackers weaponized a sophisticated exploit to steal sensitive data from devices running iOS 18.4 through 18.6.2. The vulnerability, dubbed DarkSword by security researchers at Google’s Threat Intelligence Group, enables attackers to infiltrate iPhones via malicious links, granting access to text messages, saved passwords, cryptocurrency wallets, iCloud files, and even real-time location data. With an estimated 270 million devices still vulnerable to the attack, cybersecurity experts warn that users who have delayed updating their devices are now at significant risk of falling victim to this rapidly spreading threat.

What Is the DarkSword Exploit and How Does It Work?

DarkSword is a zero-day exploit—a type of attack that takes advantage of vulnerabilities unknown to the software vendor—discovered by Google’s Threat Intelligence Group in collaboration with cybersecurity firms Lookout and iVerify. The exploit leverages **six distinct vulnerabilities** in Safari and iOS, allowing attackers to execute a "hit-and-run" attack. Once a victim clicks on a compromised link, DarkSword silently extracts high-value data, including credentials, call logs, photos, and cryptocurrency wallet details, before disappearing without leaving a trace in traditional security logs.

The Technical Breakdown: How Hackers Gain Access

The attack begins when a user visits a malicious website, which triggers a chain reaction of exploits. DarkSword first exploits a Safari vulnerability to gain initial access, then pivots to additional weaknesses in iOS to escalate privileges. According to Lookout’s analysis, the exploit kit **Coruna**, also linked to Russian hackers, has been deployed alongside DarkSword to target specific regions, including Ukraine, Saudi Arabia, Malaysia, and Turkey. Security researchers noted that the DarkSword code was left **unobfuscated and easily accessible**, raising concerns that other cybercriminal groups could repurpose the tool for broader attacks.

Apple’s Response: Emergency Patches and a Race Against Time

Apple confirmed in an emailed statement that it had patched all underlying vulnerabilities in iOS last year. However, the company issued an **emergency software update** last week specifically for older devices that had not transitioned to newer iOS versions. The update, labeled iOS 18.7, addresses the DarkSword exploit and other security flaws uncovered by Google and its partners. Apple spokesperson Sarah O’Rourke emphasized that keeping software up to date is the most critical step users can take to protect their devices.

Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices, as these updates include the latest security fixes and protections.

Who Is Behind the DarkSword Attacks?

Google’s Threat Intelligence Group has attributed the DarkSword attacks to **Russian state-sponsored hackers**, specifically a group known for targeting high-profile individuals and organizations. These hackers have a history of using iOS exploits to compromise devices in conflict zones and regions of geopolitical interest. The group’s use of the Coruna exploit kit alongside DarkSword suggests a coordinated effort to maximize the impact of their attacks. Security firm iVerify noted that the attackers left the DarkSword code **unprotected**, which could enable less sophisticated cybercriminals to adopt and modify the tool for their own purposes.

Which iPhones Are Vulnerable and How to Protect Yourself

The DarkSword exploit affects iPhones running iOS versions **18.4 through 18.6.2**, which includes devices that have not received the latest updates. Apple’s emergency patch, iOS 18.7, is available for older models that cannot upgrade to iOS 26 or later. Users can check their iOS version by navigating to **Settings > General > About > Software Version**. Apple and Google have also blocked the malicious links used in DarkSword attacks across Safari and Chrome, adding an additional layer of defense against the exploit.

Does Lockdown Mode Protect Against DarkSword?

Yes, Apple’s **Lockdown Mode**—an extreme security feature designed for journalists, activists, and politicians—blocks the DarkSword exploit. Lockdown Mode restricts certain functionalities, such as link previews and web browsing, to prevent malicious code from executing. While it significantly enhances security, it also limits the usability of the device. For most users, installing the latest iOS update remains the most practical solution.

The Broader Implications of iOS Exploits in Geopolitical Conflicts

The DarkSword attacks highlight the growing role of **iOS exploits in state-sponsored cyber espionage and warfare**. Russian hacking groups have a long history of targeting Apple devices, particularly in regions embroiled in conflict or political tension. The use of mobile malware in Ukraine and other hotspots underscores the need for robust cybersecurity measures among high-risk individuals. As mobile devices become central to personal and professional life, the stakes for securing them have never been higher.

Key Takeaways: What You Need to Know About DarkSword

• DarkSword is a zero-day exploit targeting iPhones running iOS 18.4 to 18.6.2, enabling hackers to steal sensitive data via malicious links.
• Russian state-sponsored hackers used the exploit to target users in Ukraine, Saudi Arabia, Malaysia, and Turkey, deploying it alongside the Coruna exploit kit.
• Apple issued an emergency patch (iOS 18.7) to address the vulnerability, but users must update their devices immediately to avoid exposure.
• Lockdown Mode protects against DarkSword, but the most effective defense remains installing the latest iOS update.
• The attack’s "hit-and-run" design allows hackers to extract data silently, making detection difficult without proactive security measures.

How to Check and Update Your iOS Version

To determine if your device is vulnerable, open the **Settings** app on your iPhone, tap **General**, then **About**, and check the **Software Version**. If your device is running iOS 18.4 through 18.6.2, you should update immediately. Go to **Settings > General > Software Update** and install the latest version. For older devices that cannot upgrade to iOS 26, Apple’s emergency patch (iOS 18.7) is available and should be installed without delay.

The Future of iOS Security and Apple’s Ongoing Challenges

The DarkSword incident is the latest in a series of high-profile iOS vulnerabilities that have been exploited by state-sponsored actors. Apple has faced criticism in the past for slow response times to security threats, though the company has accelerated its patching process in recent years. The tech giant now employs a more transparent approach to disclosing vulnerabilities, often working closely with cybersecurity firms like Google and Lookout to identify and mitigate threats before they can be weaponized. However, the rapid evolution of mobile malware means that users must remain vigilant about updates and security settings.

Frequently Asked Questions About the DarkSword iOS Exploit