New DarkSword iPhone Hack Puts Hundreds of Millions of Devices at Risk via Malicious Websites

A sophisticated new iPhone hacking tool known as DarkSword has been detected in active espionage campaigns, allowing cybercriminals and state-sponsored hackers to remotely compromise Apple devices running outdated operating systems by merely visiting compromised websites. Discovered by researchers at Google, iVerify, and Lookout, the attack vector exploits vulnerabilities in iOS 18—an operating system still running on nearly a quarter of all iPhones as of March 2026, despite Apple’s rollout of the more secure iOS 26 in fall 2025. Cybersecurity experts warn that the discovery underscores a troubling trend: once-exclusive espionage tools are now proliferating across criminal markets, putting ordinary users at risk.

What Is DarkSword and How Does It Work?

DarkSword is a ‘zero-click’ exploit that enables attackers to silently infiltrate iPhones without requiring any interaction from the victim. Unlike traditional spyware, which installs persistent malware on a device, DarkSword operates as a ‘fileless’ attack, hijacking legitimate iOS processes to exfiltrate sensitive data before the user even realizes their device has been compromised. According to cybersecurity firm iVerify, the attack is designed to extract a trove of personal information, including saved passwords, browsing history, photos, and even cryptocurrency wallet credentials.

The Stealthy ‘Smash-and-Grab’ Approach to Data Theft

One of the most alarming features of DarkSword is its ability to operate undetected by leveraging the iPhone’s own system processes. Rocky Cole, cofounder and CEO of iVerify, explained in an interview with Wired that the tool avoids brute-force file system attacks—methods that leave digital footprints—by instead repurposing normal operating system functions. “Instead of using spyware to force its way through the file system—which leaves artifacts that are easy to detect—DarkSword uses system processes the way they’re meant to be used,” Cole said. “It’s a smash-and-grab operation: data is stolen within minutes, and traces disappear after a reboot.”

This transient nature means the attack doesn’t persist on the device, reducing the likelihood of detection. However, it also highlights the tool’s efficiency: once a vulnerable iPhone visits an infected website, its data is compromised almost immediately. Lookout, another cybersecurity firm involved in the discovery, confirmed that DarkSword can extract data from apps like iMessage, WhatsApp, Telegram, Calendar, Notes, and Apple’s Health app—effectively capturing a user’s entire digital footprint.

Who Is Behind the DarkSword Attacks and Where Have They Targeted Victims?

The DarkSword campaign has been linked to Russian state-sponsored hacking groups, which have embedded the exploit into legitimate-looking websites—including Ukrainian news outlets and government agency sites—to harvest data from unsuspecting visitors. Google’s Threat Analysis Group (TAG) reported that the same Russian operatives also deployed an unrelated but more advanced iPhone hacking toolkit called Coruna earlier this month, indicating a pattern of rapid adoption of new espionage tools.

Global Reach of DarkSword: From Turkey to Malaysia

Beyond the Russian operations, DarkSword has already been detected in attacks targeting users in Saudi Arabia, Turkey, and Malaysia. In Turkey and Malaysia, researchers found evidence linking the tool to PARS Defense, a Turkish security and surveillance firm. According to Google’s analysis, customers of PARS Defense appear to have deployed DarkSword to compromise specific targets. Matthias Frielingsdorf, an iVerify researcher, noted that the Russian hackers left DarkSword’s full, unobscured code—complete with explanatory comments and the tool’s name—publicly accessible on compromised sites, essentially providing a ‘how-to guide’ for any cybercriminal willing to repurpose it.

Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It's as simple as that. It's all nicely documented, also. It's really too easy.

Why Are So Many iPhones Still Vulnerable to DarkSword?

The primary reason DarkSword remains a widespread threat is Apple’s slow adoption of iOS 26, the company’s latest operating system released in September 2025. Despite Apple’s push for users to update, nearly 25% of iPhones were still running iOS 18 as of February 2026, according to data from both Apple and StatCounter. This delayed migration leaves millions of users exposed to known vulnerabilities that DarkSword exploits. Apple has since released emergency security patches for older devices, including iOS 18, but many users either ignore updates or are unaware of the risks.

The Rise of iOS Exploit Brokers: A Growing Black Market

The discovery of DarkSword alongside Coruna has raised alarms about the commercialization of iPhone hacking tools. Cybersecurity experts suspect that DarkSword was originally developed by a third-party exploit broker—likely a firm like Trenchant, a subsidiary of US defense contractor L3Harris, which sells hacking tools to government agencies. While DarkSword hasn’t been directly tied to Trenchant, its deployment by the same Russian actors who used Coruna suggests it may have been acquired through a black-market broker such as Operation Zero, a Russian firm sanctioned by the US in 2024 for selling cyberweapons to foreign actors.

The proliferation of tools like DarkSword and Coruna marks a significant shift in the cyber threat landscape. Justin Albrecht, head of mobile threat intelligence at Lookout, noted that these exploits were once reserved for high-value targets like journalists or activists, but are now being commoditized for use by cybercriminals. “People assumed that iOS exploits were only a concern for a small group of high-profile individuals,” Albrecht said. “Now, with tools like DarkSword being sold through unscrupulous brokers, there’s a whole market for this to get into the hands of anyone with the resources to buy it—and they won’t hesitate to use it indiscriminately.”

Apple’s Response: Patches, Lockdown Mode, and User Responsibility

In response to the DarkSword and Coruna threats, Apple has released emergency security updates for devices unable to upgrade to iOS 26. The company emphasized that keeping software up to date is the most critical step users can take to protect their devices. Additionally, Apple highlighted Lockdown Mode—a stringent security setting designed for high-risk users—which can block such exploits entirely.

Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices. Users who enable iOS’s strictest security setting known as Lockdown Mode are also protected.

Key Takeaways: What You Need to Know About DarkSword

• DarkSword is a ‘fileless’ iPhone hacking tool that silently compromises devices running iOS 18 by exploiting vulnerabilities in malicious websites. Nearly 25% of iPhones remain on this outdated OS, leaving them exposed.
• The attack steals a wide range of data, including passwords, photos, messaging app logs, cryptocurrency wallet credentials, and health app information—all without leaving persistent traces on the device.
• Researchers have linked DarkSword to Russian state-sponsored hackers, who embedded it in compromised Ukrainian news and government sites, as well as to cybercriminals in Turkey, Malaysia, and Saudi Arabia.
• The tool’s source code was left publicly accessible on compromised sites, making it easy for other hackers to adopt and repurpose, signaling a dangerous commoditization of iOS exploits.
• Apple has released emergency patches for older iPhones and urges users to enable Lockdown Mode for maximum protection, though adoption of iOS 26 remains slow.

The Broader Implications: A New Era of iPhone Security Threats

The emergence of DarkSword and Coruna represents a pivotal moment in mobile security. Historically, iOS was considered one of the most secure consumer operating systems due to Apple’s strict control over its ecosystem and rapid patch deployment. However, the commercialization of zero-click exploits—particularly those sold by brokers to state actors and cybercriminals—has eroded this advantage. The fact that two separate, advanced iPhone hacking tools were deployed within weeks of each other suggests that the market for iOS vulnerabilities is thriving, driven by demand from both intelligence agencies and profit-motivated hackers.

This trend mirrors the evolution of Android malware, where exploit kits and ransomware-as-a-service models have made sophisticated attacks accessible to even low-skilled cybercriminals. If the iPhone ecosystem follows a similar path, users may soon face a wave of opportunistic attacks targeting ordinary consumers—not just high-profile targets. “The barrier to entry for iOS exploitation is dropping,” said Albrecht. “What was once a specialized tool for nation-state actors is now within reach of any cybercriminal with a credit card and a server.”

How to Protect Your iPhone from DarkSword and Future Threats

Apple has provided clear guidance on mitigating risks from DarkSword and similar threats. The most immediate step is to update your iPhone to the latest version of iOS. For devices unable to run iOS 26, Apple has released emergency patches that address the vulnerabilities exploited by DarkSword. To check for updates, navigate to Settings > General > Software Update. Users should also enable Lockdown Mode, which significantly tightens security by disabling certain features that could be exploited. Additionally, cybersecurity firms like iVerify and Lookout offer detection tools that can identify if a device has been compromised.

The Future of iOS Security: Can Apple Keep Up?

Apple’s ability to combat threats like DarkSword hinges on two critical factors: the speed of its software updates and the adoption rate among users. While the company has demonstrated responsiveness by issuing emergency patches, the slow rollout of iOS 26 suggests that user education and system design may need to evolve. Features like automatic security updates—already implemented for critical vulnerabilities in some regions—could become standard to reduce reliance on user action. Moreover, Apple may need to rethink its approach to exploit defense, potentially incorporating more robust sandboxing or runtime protection mechanisms to limit the impact of fileless attacks like DarkSword.

Frequently Asked Questions About the DarkSword iPhone Hack