DarkSword iPhone Hack Explained: 270M iOS Devices Vulnerable to Spyware

What is the DarkSword iPhone Hack?

A sophisticated new iOS exploit called DarkSword has been discovered by cybersecurity researchers from Google, iVerify, and Lookout, putting an estimated 270 million iPhones at risk of complete compromise. This advanced hack tool targets iPhones running iOS versions 18.4 through 18.7, using six different vulnerabilities to gain full control of devices through simple website visits. The Coruna spyware toolkit previously used by Russian threat actors has now been succeeded by this more aggressive 'hit-and-run' attack method that can steal sensitive data within minutes of infection.

How DarkSword Attacks iPhones

DarkSword employs a 'watering hole' attack strategy where hackers compromise legitimate websites, particularly Ukrainian government servers (.gov.ua domains), to deliver malicious payloads. When users visit these infected sites, the exploit chain begins automatically through Safari browser vulnerabilities. Unlike traditional malware that installs persistent software, DarkSword operates entirely in memory, leaving no trace after data exfiltration.

The Three-Stage Attack Process

1. Initial Compromise: Users visit compromised websites, triggering Safari vulnerabilities for remote code execution
2. Privilege Escalation: The exploit chain bypasses iOS sandbox protections and gains kernel-level access
3. Data Exfiltration: Three malware families (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER) work together to steal sensitive information

What Data DarkSword Steals

• Wi-Fi passwords and network credentials
• Text messages and call history
• Location data and GPS coordinates
• Browser history and saved passwords
• Photos, emails, and personal messages
• Health information and medical data
• Cryptocurrency wallet details
• SIM card information and authentication tokens

Who is Behind the DarkSword Attacks?

The primary threat actor identified is UNC6353, a suspected Russian espionage group previously associated with the Coruna exploit kit. However, researchers have found evidence that DarkSword has also been adopted by commercial surveillance vendors, including UNC6748, operating in multiple regions. The attacks have targeted users in Ukraine, China, Saudi Arabia, Turkey, and Malaysia, with hackers using both state-sponsored and commercially available infrastructure.

'DarkSword represents a significant escalation in iOS exploitation techniques,' said a Google Threat Intelligence Group spokesperson. 'The combination of six zero-day vulnerabilities and memory-only operation makes this one of the most sophisticated iPhone attacks we've seen.'

How Many iPhones Are Vulnerable?

According to security researchers, approximately 270 million iPhones running iOS versions 18.4 through 18.7 remain vulnerable to DarkSword attacks. This represents about 14.2% of all active iPhone users globally. The vulnerability primarily affects devices that haven't been updated to iOS 26, which includes many older iPhone models and devices with delayed software updates.

Protection and Security Recommendations

Apple has patched all six vulnerabilities in iOS 26.3, released in February 2026. Users are strongly advised to update their devices immediately to the latest iOS version. For devices that cannot be updated to iOS 26, Apple recommends enabling Lockdown Mode as an extreme security measure that significantly reduces attack surfaces.

Step-by-Step Protection Guide

1. Update Immediately: Go to Settings > General > Software Update and install iOS 26.3 or later
2. Enable Lockdown Mode: For vulnerable devices, activate Settings > Privacy & Security > Lockdown Mode
3. Monitor Suspicious Activity: Watch for unusual battery drain, data usage, or performance issues
4. Use Security Software: Consider installing reputable mobile security applications
5. Avoid Suspicious Links: Be cautious when clicking links, especially from unknown sources

Impact on Global Cybersecurity

The discovery of DarkSword highlights the evolving threat landscape for mobile devices, particularly the increasing sophistication of state-sponsored cyber attacks targeting consumer technology. The exploit's availability on secondary markets suggests that similar attacks may proliferate, putting additional users at risk. Security experts warn that the techniques used in DarkSword could be adapted for future attacks against other mobile platforms.

'This isn't just about iPhone security,' noted an iVerify researcher. 'DarkSword demonstrates how advanced exploitation frameworks are becoming commoditized and accessible to a wider range of threat actors, including commercial surveillance companies and criminal organizations.'

Frequently Asked Questions (FAQ)

What is DarkSword?

DarkSword is a sophisticated iOS exploit kit that uses six vulnerabilities to completely compromise iPhones running iOS 18.4 through 18.7, stealing sensitive data through memory-only attacks.

How many iPhones are affected?

Approximately 270 million iPhones worldwide remain vulnerable to DarkSword attacks, representing about 14.2% of all active iPhone users.

How can I protect my iPhone?

Update to iOS 26.3 or later immediately. For devices that cannot update, enable Lockdown Mode in Settings > Privacy & Security.

What data does DarkSword steal?

The malware steals Wi-Fi passwords, text messages, call history, location data, browser history, photos, health information, and cryptocurrency wallet details.

Who is behind the attacks?

Primary threat actors include Russian espionage group UNC6353 and commercial surveillance vendors, with attacks targeting users in Ukraine, Saudi Arabia, Turkey, Malaysia, and China.

Is iOS 26 vulnerable?

No, iOS 26 includes patches for all six vulnerabilities used by DarkSword. Only iOS versions 18.4 through 18.7 are affected.

Sources

iVerify DarkSword Disclosure
Time Magazine Report
Google Threat Intelligence
SecurityWeek Analysis