Cybersecurity researchers have uncovered a powerful iPhone hacking technique known as DarkSword, a tool capable of compromising hundreds of millions of devices through infected websites.
The technique was discovered by researchers from Google, iVerify, and Lookout, who revealed on Wednesday that attackers have used it in active campaigns. The exploit can instantly and silently compromise vulnerable iPhones that visit malicious web pages. DarkSword targets devices running iOS 18, Apple’s previous operating system, which still powered close to a quarter of all iPhones as of last month, according to Apple’s own numbers.
“A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website,” said Rocky Cole, cofounder and CEO of iVerify. “Hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable.”
Researchers estimate that iPhones running iOS versions 18.4 through 18.7 may be susceptible to DarkSword attacks, representing roughly 270 million devices worldwide.
Advanced iPhone exploitation techniques have historically been difficult to observe outside of targeted surveillance operations. Hackers typically used these tools carefully against a small number of selected victims. Recent espionage and cybercrime campaigns, however, have embedded these tools into infected websites that can compromise devices automatically.
DarkSword is a complete exploit chain, meaning it uses multiple software vulnerabilities together to break into a device and extract information. According to the Google Threat Intelligence Group, the exploit uses six different vulnerabilities to fully compromise a vulnerable iOS device.
These vulnerabilities include three flaws in WebKit, the browser engine used by Apple’s Safari browser and all browsers on iOS and iPadOS, two vulnerabilities in the iOS kernel, and one vulnerability in the Dynamic Link Editor (dyld) component of Apple’s operating systems.
Apple released patches for these flaws across several updates. CVE-2025-31277, a WebKit vulnerability, was fixed in iOS 18.6 in July 2025. CVE-2025-43510 and CVE-2025-43520, both kernel vulnerabilities, were fixed in iOS 26.1 and iOS 18.7.2 in November 2025. Additional WebKit vulnerabilities, CVE-2025-43529 and CVE-2025-14174, were fixed in iOS 26.2 and iOS 18.7.3 in December 2025, following reports of targeted exploitation. The final vulnerability, CVE-2026-20700 in the dyld component, was fixed in iOS 26.3 in February 2026, also after confirmed zero-day exploitation.
Lookout researchers explained how the exploit chain operates once a victim visits a compromised page. The attack begins when Safari encounters a malicious iframe embedded in a webpage. DarkSword then escapes the WebContent sandbox and uses WebGPU to inject itself into a system process called mediaplaybackd. From that position it obtains kernel read and write access, modifies sandbox restrictions, and gains access to restricted sections of the device’s filesystem.
After gaining elevated privileges, the malware runs a main script coordinating several smaller components that collect sensitive data. These components gather files and credentials, temporarily store them on the device, and transmit the information to servers controlled by the attackers.
The attack requires no installation. Security experts describe these browser-based intrusions as drive-by downloads, meaning a user only needs to open a malicious link or web page.
“You need only click on a link rather than make a download to their device in order for a hacker to gain access to their information,” said Damon McCoy, professor and co-director of the Center for Cyber Security at New York University.
Investigators discovered DarkSword embedded in several compromised websites. Some of these were legitimate Ukrainian websites, including online news outlets and a government agency website with a gov.ua address, indicating that a Ukrainian government server had been compromised.
In another case, researchers identified a malicious website disguised to resemble Snapchat, which targeted Saudi Arabian iPhone users.
Researchers traced the infrastructure used in some campaigns to domains associated with earlier malicious activity. One domain, cdncounter[.]net, shared technical characteristics with infrastructure linked to the threat actor UNC6748. Hidden iframes inserted into compromised Ukrainian websites fingerprinted visitors’ devices and selected the appropriate exploit chain depending on the version of iOS.
According to Google researchers, DarkSword has been active since at least November 2025. Attacks have targeted iPhone users in Ukraine, China, Saudi Arabia, Turkey, and Malaysia. Researchers did not report attacks against American targets.
Multiple threat actors have used the tool. Google linked DarkSword to the group UNC6353, suspected Russian state-sponsored attackers who also used another iPhone exploit toolkit known as Coruna. Campaigns targeting users in Turkey and Malaysia involved customers of PARS Defense, a Turkish commercial surveillance vendor.
DarkSword collects extensive information from compromised devices. According to Lookout and iVerify, the spyware gathers passwords, encryption keys, photos, Wi-Fi passwords, browser history, text messages, call history, SIM card and cellular data, root location history, calendar data, notes, and Apple Health data. It also collects logs from iMessage, WhatsApp, and Telegram, along with details about installed apps, user accounts, and Safari browsing history.
iVerify described the malware as a surveillance tool capable of extracting many forms of device data. “DarkSword appears to be a surveillance and intelligence gathering tool, blanket pulling data including Wi-Fi passwords, text messages, call history, root location history, browser history, SIM card and cellular data as well as health, notes and calendar databases, though it does also look for crypto wallets.”
Researchers also discovered that the malware searches for cryptocurrency wallet credentials, which suggests attackers could use the tool to steal digital assets in addition to collecting intelligence.
Unlike traditional spyware that installs persistent software, DarkSword operates through techniques similar to fileless malware commonly seen in Windows attacks. It hijacks legitimate operating system processes to retrieve data.
“Instead of using a spyware payload to brute force your way through the file system—which leaves tons of artifacts of exploitation that are pretty easy to detect—this just uses system processes the way they’re meant to be used,” Cole said. “And it leaves far fewer traces.”
The attack also does not remain on the device permanently. Because the malware operates through system processes and temporary scripts, the infection disappears after the phone restarts. The exploit collects data within minutes of the compromise.
Cole described the process as a “smash-and-grab” approach, where attackers quickly extract data immediately after gaining access.
DarkSword surfaced two weeks after researchers revealed another advanced iPhone exploit toolkit called Coruna. Coruna contains five exploit chains and 23 exploits, targeting iOS versions 13 through 17. Together, the two toolkits affect a large portion of unpatched devices.
iVerify researchers warned that hundreds of millions of devices running iOS versions from 13 to 18.6.2 may be exposed when both exploit chains are considered.
Justin Albrecht, who leads mobile threat intelligence at Lookout, described the flow of such tools into criminal networks.
“There’s now a verified pipeline of recent exploits that have ended up in the hands of potentially criminal entities with a financial focus,” Albrecht said.
Researchers investigating a campaign targeting Ukrainian websites discovered that the attackers left the entire DarkSword code available on the compromised sites. The files included English-language comments explaining the code and referencing the tool by name.
According to Matthias Frielingsdorf, iVerify cofounder and researcher, this mistake could make the exploit easy for others to copy.
“Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It’s as simple as that,” Frielingsdorf said. “It’s all nicely documented, also. It’s really too easy.”
The origin of DarkSword remains unknown. Researchers believe it was probably developed by a company that sells hacking techniques.
The suspicion comes partly from its connection to Coruna. TechCrunch reported that Coruna was created by Trenchant, a subsidiary of U.S. government contractor L3Harris, which develops hacking techniques for the U.S. government. A former Trenchant employee, Peter Williams, pleaded guilty last year to selling the company’s tools to a Russian broker firm called Operation Zero, which has since been sanctioned by the U.S. government.
Researchers have not identified evidence that DarkSword was developed by Trenchant or for the U.S. government. The same Russian hackers who purchased Coruna appear to have obtained DarkSword as well, which suggests the exploit may have been sold through Operation Zero or another exploit broker. Operation Zero did not respond to a request for comment.
Apple responded to the research by pointing to the security updates that patch the vulnerabilities used in both DarkSword and Coruna.
“Every day Apple’s security teams around the world work tirelessly to protect users’ devices and data,” an Apple spokesperson said in a statement.
Apple released updates addressing these vulnerabilities through iOS 26.3, though many of the flaws were fixed earlier. The company also released updates in March 2026 for iOS 15 and iOS 16, extending protection to older iPhones. Devices running iOS 13 or 14 must update to iOS 15 to receive protections against these attacks.
Apple spokesperson Sarah O’Rourke stated, “Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices.”
Apple also advised users who cannot update their devices to enable Lockdown Mode, described as “an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.”
Google added domains linked to DarkSword campaigns to its Safe Browsing service, which blocks access to malicious websites.
Researchers from iVerify and Lookout said their security applications can also detect DarkSword infections in the form they observed.
The appearance of DarkSword shortly after Coruna revealed a growing ecosystem for iPhone exploit tools. Investigators say these exploits once appeared only in targeted surveillance operations against journalists, activists, or political figures.
“People assumed that it was just going to be journalists or activists or maybe an opposition politician that was targeted, and that this wasn’t a concern for a normal citizen,” Albrecht said. “Now that we see iOS exploits being delivered through an unscrupulous broker, there’s a whole market here for this to get to cybercriminals.”
Cole described what he believes may be the attackers’ perspective when deploying these tools openly.
“If this one gets burned, I’ll just go get another one,” Cole said. “They know there’s more where this came from.”
