DarkSword iPhone exploit targeting iOS 18 at scale
Compromised websites and “no-click” iPhone compromise
DarkSword is an iPhone-hacking technique that surfaced on compromised websites and can silently pull personal data from devices running iOS 18. It doesn’t depend on a victim tapping a link, approving a prompt, or installing anything on purpose. Simply visiting an infected site is enough for the technique to work in the cases observed.
Because iOS 18 still runs on roughly a quarter of iPhones worldwide, the potential exposure is broad—especially for people using older Apple devices or older operating system versions.
What makes DarkSword unusually dangerous
The core risk isn’t just that it works—it’s how quietly it works and how little it asks of the victim. The idea is brutally simple: a normal visit to a popular website can become the moment a phone is harvested for personal information.
What DarkSword can steal from an iPhone
Passwords, messages, photos, and app data
DarkSword’s data collection is expansive. According to Lookout, it can steal:
- Passwords
- Photos
- iMessage logs
- WhatsApp logs
- Telegram logs
- Browser history
- Calendar data
- Notes data
- Apple Health records
Crypto wallet credentials and financial risk
DarkSword also grabs cryptocurrency wallet credentials. That detail points to the possibility of a profitable sideline layered on top of intelligence-driven intrusion—because wallet access can translate directly into theft.
Who used DarkSword and where it was deployed
Ukrainian sites used as stealth delivery
Google’s researchers found DarkSword embedded in otherwise legitimate Ukrainian websites, including online news outlets and a government agency page. The goal was silent collection of data from visitors’ phones.
Targeting beyond Ukraine
The activity wasn’t limited to one country. Google identified earlier DarkSword deployments aimed at victims in:
- Saudi Arabia
- Turkey
- Malaysia
In the Turkish and Malaysian cases, Google’s research links the intrusion tooling to customers of PARS Defense, described as a Turkish security and surveillance firm. The takeaway is straightforward: DarkSword has already moved across multiple groups, and adoption is likely increasing.
DarkSword vs. Coruna: different tools, same Russian operators
DarkSword appeared publicly two weeks after Coruna, another advanced iOS hacking toolkit attributed to a Russian state-sponsored espionage group. Even though the two toolkits appear to come from different developers, Google’s researchers found the same Russian spies deployed both.
A key difference in targeting scope is the iOS range:
- Coruna targets iOS versions 13 through 17.
- DarkSword is built to exploit most versions of iOS 18.
DarkSword also includes two separate exploit chains aimed at different vulnerabilities in earlier and later iOS 18 builds, increasing its potential victim pool.
Fileless iPhone exploitation: how DarkSword operates
Not traditional spyware, minimal forensic traces
DarkSword doesn’t behave like classic spyware that installs a persistent payload. Instead, it uses fileless techniques more commonly associated with Windows targeting. It hijacks legitimate iPhone processes to extract data, leaving minimal forensic evidence.
This approach avoids the heavy footprint that comes from brute-forcing through the file system, which can leave behind artifacts that are easier to detect.
The persistence trade-off: “smash-and-grab” theft
DarkSword doesn’t survive a reboot. Rather than trying to persist, it focuses on grabbing everything it can within minutes of infection—a “smash-and-grab” approach.
Why DarkSword spread risk is worse: exposed source code on hacked sites
Full commented exploit code left available to copy
One of the most alarming aspects of DarkSword is how it was handled by the hackers deploying it. iVerify’s Matthias Frielingsdorf found the full, unobscured DarkSword source code sitting on compromised sites, complete with English-language comments explaining the components and using the DarkSword name.
That kind of exposure makes copying and redeploying the technique far easier than it should be, accelerating the risk of imitation and reuse.
Apple response, iOS updates, and device protection steps
Security updates and emergency patches for older devices
Apple pointed to its security updates addressing both Coruna and DarkSword, including emergency patches released for older devices that can’t run iOS 26. Apple emphasized that keeping software current is the single most important step users can take.
Lockdown Mode protection
Apple also noted that users who enable Lockdown Mode are protected.
How to check for iPhone software updates
To check for updates:
- Open Settings
- Tap General
- Tap Software Update
Detection via mobile security apps
Both iVerify and Lookout say their mobile security apps can detect DarkSword infections in the form observed so far.
Who created DarkSword: brokered exploit clues and open questions
Unknown author, likely not the Russian operators
Researchers say the creator of DarkSword remains unknown, and they agree it almost certainly wasn’t built by the Russian hackers who used it. The English-language comments in the code—apparently written to explain the tool to a customer—point toward the idea of an exploit broker firm that buys and sells capabilities.
The Coruna connection and possible broker pathways
A notable clue comes from DarkSword’s timing near Coruna. TechCrunch reported Coruna was built by Trenchant, a subsidiary of US government contractor L3Harris. A former Trenchant employee, Peter Williams, pleaded guilty to selling the company’s tools to Operation Zero, described as a Russian broker firm later sanctioned by the US government.
There’s no direct evidence tying DarkSword to Trenchant or the US government. Still, DarkSword being deployed by the same hackers who appear to have purchased Coruna suggests DarkSword may have moved through Operation Zero or a similar broker.
Criminal reuse and the wider pattern
Beyond the Russian spy campaign, Coruna was later used by cybercriminals to steal cryptocurrency from Chinese-speaking victims. That’s described as a reckless application and a possible sign that Operation Zero will sell to any group willing to pay.