New iPhone 'DarkSword' Spyware Poses Widespread Hacking Risk

New iPhone 'DarkSword' Spyware Poses Widespread Hacking Risk | Quick Digest
Cybersecurity researchers have identified a potent new iPhone spyware tool named 'DarkSword' that can steal sensitive data, including cryptocurrency wallet information. This sophisticated malware exploits vulnerabilities in older iOS versions and can be delivered through compromised websites, potentially affecting millions of users globally. Apple urges users to update their devices immediately to patch these security flaws.

Key Highlights

  • New 'DarkSword' spyware targets millions of iPhones globally.
  • Malware steals sensitive data and cryptocurrency wallet information.
  • Exploits vulnerabilities in older iOS versions.
  • Delivered via compromised websites without user interaction.
  • Apple urges immediate software updates for protection.
  • Affects users running iOS versions 18.4 to 18.6.2.
A new and sophisticated spyware tool, dubbed 'DarkSword,' has been discovered that poses a significant threat to millions of iPhone users worldwide. Researchers from Google Threat Intelligence Group, Lookout, and iVerify have identified this malware, capable of penetrating Apple devices and stealing sensitive data, including cryptocurrency wallet information [3, 5, 7, 8, 10]. DarkSword operates through compromised websites, meaning users do not need to click on suspicious links or download malicious applications for their devices to be infected. This 'smash-and-grab' approach allows the spyware to quickly exfiltrate data such as passwords, photos, messages, browser history, notes, calendar data, health data, and even cryptocurrency wallet credentials before disappearing after a reboot [4, 7]. The sophistication of DarkSword is highlighted by its ability to achieve privileged code execution to access and exfiltrate sensitive information [4]. The primary vulnerability exploited by DarkSword affects older versions of Apple's iOS operating system, specifically versions 18.4 to 18.6.2, which were released between March and August 2025 [3, 10]. It is estimated that hundreds of millions of iPhones may still be running these older, vulnerable versions [3, 10]. The exploit chain utilizes six different vulnerabilities to deploy its final-stage payloads [8]. Researchers have observed DarkSword being used in distinct campaigns against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The campaigns in Malaysia and Turkey have been associated with the Turkish commercial surveillance vendor PARS Defense [3]. Notably, the full DarkSword code was reportedly found exposed and well-documented on compromised Ukrainian websites, which could facilitate its reuse by other malicious actors and signals a broader, more reckless market for sophisticated iPhone exploits [5, 7]. This proliferation of exploit chains across different threat actors, including suspected state-linked hackers and commercial vendors, is a growing concern [3, 8]. This discovery follows closely on the heels of another powerful iPhone spyware tool called 'Coruna,' which was revealed by Google and iVerify on March 3, 2026. DarkSword was found on the same servers used by suspected Russian operators of Coruna, indicating a flourishing market for such malware [3, 5, 10]. Both DarkSword and Coruna demonstrate advanced spyware capabilities that have moved from elite espionage to wider criminal use [7]. In response to these threats, Apple is urging all users to update their iPhones immediately to the latest available software versions. Apple states that keeping software up to date is the single most important action users can take to protect their devices [4, 10]. The company has addressed the vulnerabilities exploited by DarkSword and Coruna in its latest security updates [10]. Historically, Apple has also utilized Rapid Security Responses (RSRs) to deliver critical security patches more quickly between major operating system updates, often addressing zero-day vulnerabilities that are actively exploited in the wild [13, 15, 16]. While the current attacks have been primarily observed outside the US, the global nature of the iPhone user base means that this threat could extend to users in any region [4]. The discovery of DarkSword and similar advanced spyware tools underscores the evolving landscape of mobile security threats and the persistent need for vigilance and prompt software updates. The research indicates that the market for sophisticated malware capable of stealing data and cryptocurrency is flourishing, with zero-day exploits now spreading beyond state-sponsored espionage into broader criminal activities [3].

Frequently Asked Questions

What is DarkSword?

DarkSword is a new and sophisticated spyware tool that targets Apple iPhones. It is capable of stealing sensitive data, including cryptocurrency wallet information, and operates by exploiting vulnerabilities in older iOS versions.

How does DarkSword infect iPhones?

DarkSword is delivered through compromised websites. Users do not need to click on malicious links or download any files; simply visiting an infected website can be enough for the spyware to be installed and begin exfiltrating data.

Which iPhone users are most at risk?

Users running older versions of iOS, specifically versions 18.4 to 18.6.2 (released between March and August 2025), are most at risk. However, hundreds of millions of iPhones may still be using these vulnerable versions.

What is the best way to protect my iPhone from DarkSword?

The most crucial step is to update your iPhone to the latest available iOS version immediately. Apple has released security patches to address the vulnerabilities exploited by DarkSword.

Is this spyware limited to certain countries?

While initial reports indicate targeted campaigns in Saudi Arabia, Turkey, Malaysia, and Ukraine, the global nature of the iPhone user base means that the threat could potentially affect users worldwide.

Read Full Story on Quick Digest