What is DarkSword? New iPhone spyware targets millions; all you need to know

A new exploit called DarkSword has emerged as a major threat to iPhone users worldwide. Discovered by researchers from Google, Lookout, and iVerify, this tool can silently compromise devices simply by visiting infected websites. It steals sensitive data like passwords, messages, photos, and even cryptocurrency wallet information. This marks the second major iOS spyware revelation in March 2026, following the "Coruna" exploit kit.

What exactly is DarkSword, and how does it work?

DarkSword is a full-chain exploit kit that uses six vulnerabilities, including several zero-days, to gain deep access to iPhones. It targets devices running iOS 18.4 through 18.7. Attackers inject malicious code into legitimate websites, often via compromised servers. When a vulnerable iPhone visits one, the exploit runs automatically with no user action needed beyond loading the page.

Once inside, it escalates privileges to the kernel level and deploys payloads like GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. These quickly collect and exfiltrate data before cleaning up traces, making detection difficult. Notably, the attack is "fileless," hijacking legitimate iOS processes rather than installing permanent malware.

Which iPhones are at risk and how many could be affected?

DarkSword primarily hits older iOS 18 versions (18.4 to 18.6.2 in many cases, up to 18.7 in others). Apple patched the vulnerabilities in later updates, such as iOS 18.3 or newer releases in late 2025 and early 2026. However, many users delay updates.

Security firms estimate 220 million to 270 million iPhones still run vulnerable versions, based on public adoption data. This represents a huge potential victim pool, though actual infections depend on exposure to compromised sites.

Who is behind the DarkSword attacks?

Researchers link DarkSword to multiple actors. A suspected Russian espionage group, UNC6353, deployed it in watering hole attacks on Ukrainian websites, including news outlets and even a government site. These campaigns, active since late 2025, targeted Ukrainians but used sloppy operational security, suggesting less caution than typical state operations.

Commercial surveillance vendors also use DarkSword, hitting users in Saudi Arabia, Turkey, and Malaysia. This shows a growing marketplace where advanced exploits spread from elite developers to criminals and spies.

How does DarkSword compare to the recent Coruna exploit?**

Just weeks earlier, on March 3, 2026, Google and iVerify exposed Coruna, another powerful iOS exploit kit using 23 vulnerabilities across older versions (iOS 13 to 17.2.1). DarkSword shares infrastructure with Coruna attacks and follows a similar pattern of proliferation.

This indicates sophisticated tools, once limited to governments, now fuel broader cybercrime, including crypto theft.

What should iPhone users do to protect themselves?

Update to the latest iOS version immediately. Apple has patched these flaws. Enable Lockdown Mode for high-risk users. Avoid suspicious links, and consider tools like iVerify for detection. Apple did not comment on the reports but emphasized timely updates.