Google Warns: iOS Malware 'DarkSword' Steals Crypto from Unpatched iPhones

Google Warns: iOS Malware 'DarkSword' Steals Crypto from Unpatched iPhones | Quick Digest
Google security researchers have uncovered a sophisticated iOS exploit chain, dubbed 'DarkSword,' that targets unpatched iPhones running iOS versions 18.4 to 18.7. This malware, 'Ghostblade,' is designed to steal sensitive data, particularly from cryptocurrency exchange and wallet applications, via compromised websites. Users are urged to update their devices immediately.

Key Highlights

  • Google's GTIG discovered 'DarkSword' exploit chain.
  • Malware 'Ghostblade' targets crypto apps on unpatched iPhones.
  • Affects iOS versions 18.4 through 18.7, patched in iOS 26.3.
  • Exploit leverages six vulnerabilities, including zero-days.
  • Steals crypto wallet data, messages, passwords, and more.
  • Attacks observed in Saudi Arabia, Ukraine, Turkey, and Malaysia.
Google's Threat Intelligence Group (GTIG) has issued a critical warning regarding a sophisticated iOS exploit chain, dubbed 'DarkSword,' which has been actively used since late 2025 to compromise unpatched iPhones. The exploit specifically targets devices running iOS versions 18.4 through 18.7, leveraging a series of six vulnerabilities, including multiple zero-days, to gain unauthorized access. Once a user visits a malicious or compromised website with a vulnerable device, the DarkSword exploit is deployed, installing a potent malware payload known as 'Ghostblade.' The primary objective of the 'Ghostblade' malware is to perform rapid data exfiltration, adopting a 'hit-and-run' approach where it quickly collects sensitive information before attempting to delete its traces and terminate itself. This makes detection particularly challenging for affected users. The malware is designed to actively hunt for and steal data from a wide array of cryptocurrency exchange applications, including major platforms like Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC. Furthermore, it targets popular crypto wallet applications such as Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. Beyond cryptocurrency-related assets, 'Ghostblade' is alarmingly comprehensive in its data theft capabilities. It is capable of exfiltrating a vast amount of personal and private information from compromised devices. This includes SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari cookies and browsing history, location data, health data, photos, saved passwords, and even message histories from popular communication apps like Telegram and WhatsApp. Google's GTIG, which discovered these vulnerabilities, reported them to Apple towards the end of 2025. Apple subsequently addressed these critical flaws with the release of iOS 26.3, and some vulnerabilities were patched even prior to that. This highlights the ongoing importance for iPhone users to keep their operating systems updated to the latest available versions to protect against such sophisticated threats. The threat actors behind the 'DarkSword' campaigns are diverse, ranging from commercial spyware vendors to suspected state-backed groups. Google has, for instance, attributed some campaigns to a group it tracks as UNC6353, identified as a likely Russian-backed espionage entity. Observed campaigns have targeted users in various countries, including Saudi Arabia (using a fake Snapchat lookalike app), Ukraine (through compromised websites, including a government site), Turkey, and Malaysia. Some campaigns in Malaysia and Turkey were linked to the Turkish commercial surveillance vendor PARS Defense. It is important to differentiate 'DarkSword' from other well-known iOS exploit campaigns like 'Operation Triangulation' and 'Pegasus' spyware. While all are highly sophisticated and utilize zero-click exploits and iOS vulnerabilities, 'Operation Triangulation' was disclosed by Kaspersky in June 2023, and 'Pegasus' by Citizen Lab and Lookout in August 2016. 'DarkSword' represents a more recent and distinct threat identified by Google. For an audience in India, this news carries significant relevance. While the immediate targets mentioned are in other regions, the global nature of cybercrime and the widespread adoption of iPhones and cryptocurrency applications worldwide, including India, mean that users here are equally susceptible if their devices are not updated. Previous research, such as ESET's 2022 findings, has already highlighted sophisticated crypto-stealing schemes targeting mobile users in India and other Asian markets, indicating a persistent regional threat landscape. Kaspersky also reported a crypto-stealing Trojan active in the AppStore and Google Play since March 2024, targeting users in the UAE, Europe, and Asia. Therefore, Indian iPhone users involved in cryptocurrency are strongly advised to heed these warnings and ensure their devices are running the latest iOS versions to mitigate the risk of falling victim to 'DarkSword' or similar exploits.

Frequently Asked Questions

What is the 'DarkSword' exploit and how does it work?

The 'DarkSword' is a sophisticated iOS exploit chain discovered by Google's Threat Intelligence Group. It leverages six vulnerabilities, including multiple zero-days, to deploy malware called 'Ghostblade' on unpatched iPhones running iOS versions 18.4 through 18.7. The infection occurs when users visit malicious or compromised websites, allowing the malware to quickly steal sensitive data.

Which iPhones and iOS versions are vulnerable to 'DarkSword' malware?

iPhones running iOS versions 18.4 through 18.7 are specifically vulnerable to the 'DarkSword' exploit. Apple has since patched these vulnerabilities in later iOS updates, including iOS 26.3. Users with older, unpatched devices are at risk.

What kind of data can 'Ghostblade' malware steal from my iPhone?

The 'Ghostblade' malware is designed to steal a wide range of sensitive information. This includes data from major cryptocurrency exchange and wallet applications, SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari browsing history, location data, photos, saved passwords, and chat logs from apps like Telegram and WhatsApp.

How can I protect my iPhone from the 'DarkSword' exploit and similar threats?

The most crucial step is to immediately update your iPhone to the latest available iOS version. Apple regularly releases security patches for discovered vulnerabilities. Additionally, avoid visiting suspicious or untrusted websites, be cautious about clicking on unknown links, and ensure your device's security features like Safari's Safe Browsing are enabled.

Is this threat relevant to iPhone users in India?

Yes, while immediate campaigns were observed in countries like Saudi Arabia, Ukraine, Turkey, and Malaysia, the global nature of cyber threats means that iPhone users in India are also susceptible. The widespread use of iPhones and cryptocurrency in India, combined with previous instances of crypto-stealing malware targeting users in Asia, makes this a relevant and important alert for Indian users to update their devices.

Read Full Story on Quick Digest