A sophisticated hacking technique called DarkSword, capable of silently taking over iPhones the moment a user visits an infected website, has been discovered in active use — and Apple users running older software are squarely in the crosshairs, according to a new report Wednesday.
If you haven’t updated to the latest iOS for your device, do so now.
DarkSword iPhone hacking tool threatens millions of devices
Researchers at Google, iVerify and Lookout jointly revealed the existence of DarkSword, describing it as one of the most significant iPhone security threats seen in recent years, according to Wired. It can take over iPhones running iOS 18 simply when their user visits an infected website. iOS 18 still runs about a quarter of iPhones in use, according to Apple. The latest version is iOS 26.3.
What is DarkSword and who is at risk?
DarkSword is a web-based exploit that can silently compromise an iPhone the instant its browser loads an infected page — no taps, no downloads, no warning. It targets devices running iOS 18, Apple’s previous operating system release. As of last month, roughly a quarter of all iPhone users were still on iOS 18, meaning hundreds of millions of devices remain potentially exposed.
The technique does not affect iPhones running the current iOS 26, but Apple has also released emergency security patches for older devices unable to upgrade to that version.
iVerify cofounder Rocky Cole put the risk bluntly: “A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website.”
What can DarkSword steal?
The scope of what DarkSword can harvest from a compromised device is sweeping. According to Lookout, the tool is designed to extract passwords, photos and browser history, as well as message logs from iMessage, WhatsApp, and Telegram.
It can also access Calendar and Notes data, Apple Health records and cryptocurrency wallet credentials. That suggests the hackers behind it may have been running a profitable side operation beyond pure espionage.
How it works — and why it’s hard to detect
Unlike traditional spyware, DarkSword doesn’t install itself persistently on a device. Instead, it uses techniques more commonly associated with “fileless” malware. It hijacks the iPhone’s own legitimate system processes to extract data within minutes of infection, leaving little trace behind. A simple reboot clears the infection, though by then the damage may already be done.
“Instead of using a spyware payload to brute force your way through the file system,” Cole explained, this approach “uses system processes the way they’re meant to be used. And it leaves far fewer traces.”
Russian hackers and a careless slip
Researchers linked DarkSword’s most recent use to a Russian state-sponsored espionage group. It targeted iPhones by embedding the tool in legitimate Ukrainian websites, including news outlets and a government agency site. Earlier deployments targeted users in Saudi Arabia, Turkey and Malaysia. And evidence pointing to involvement by Turkish surveillance firm PARS Defense as a customer.
In a significant operational blunder, the Russian hackers left the complete, uncommented DarkSword code openly accessible on compromised sites. It included English-language notes explaining each component and even the tool’s name. Researchers warn this essentially hands a ready-made hacking kit to any bad actor willing to look for it.
“Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones,” said iVerify researcher Matthias Frielingsdorf. “It’s as simple as that.”
A growing black market for iPhone exploits
DarkSword’s emergence comes just weeks after the exposure of another powerful iPhone hacking toolkit called Coruna, reportedly created by US government contractor Trenchant. It was later sold to Russian hackers via a sanctioned broker firm called Operation Zero. While DarkSword’s origins remain unclear, its use by the same Russian group raises the likelihood it passed through a similar pipeline.
Security researchers say the pattern signals a troubling shift in how high-end iPhone exploits are traded and deployed. They’re moving from rare, surgical attacks against journalists and dissidents toward widespread, indiscriminate use by cybercriminals.
“People assumed that it was just going to be journalists or activists or maybe an opposition politician that was targeted,” said Justin Albrecht of Lookout. “Now that we see iOS exploits being delivered through an unscrupulous broker, there’s a whole market here for this to get to cybercriminals.”
What you should do right now
Apple has confirmed that keeping iOS up to date is the most important step users can take. To check your version, go to Settings > General > Software Update. Users who enable Lockdown Mode are also protected. Both iVerify and Lookout offer security apps that can detect known forms of DarkSword on compromised devices.
David Snow, an expert on Apple hardware and software, writes on a variety of technological and cultural topics for Cult of Mac. They include Apple news, technology buying guides, and features about computer setups and Apple TV shows and movies.
With 30 years of experience covering technology and other subjects, he has written and edited for numerous print and online publications, including CMP Media, TechTV.com, CNET, Wired News, Red Herring magazine, Law.com, The National Law Journal and Law Technology News magazine. Among other roles, he served as executive editor of the Law.com network of websites and editorial director, technology, for ALM Media.
Snow graduated with a B.A. from Syracuse University with majors in magazine journalism and psychology. While there, he worked as a reporter for The Daily Orange newspaper and associate editor of Equal Time magazine.
Founder of the blog At the Waterline, he can be reached on X (formerly Twitter) via @atthewaterline and on Mastodon via @dsnow.
