A sophisticated new surveillance exploit dubbed "Darksword" has been discovered targeting Apple iPhones, potentially leaving hundreds of millions of devices vulnerable to data and cryptocurrency theft.
As first reported by Reuters, the malware was recently found embedded across dozens of Ukrainian websites. The coordinated discovery was made by researchers from Alphabet’s Google, mobile security firm iVerify, and the cybersecurity firm Lookout.
The Darksword malware specifically targets iPhones running iOS versions 18.4 through 18.6.2—versions that Apple released between March and August of 2025. While Apple has since patched the underlying vulnerabilities in subsequent updates, researchers estimate that between 220 million and 270 million iPhones globally are still running the outdated, exposed software.
A Flourishing Market for Commercial Spyware
The uncovering of Darksword marks the second time this month that researchers have identified a major iPhone exploit, following the March 3 revelation of another powerful spyware tool known as "Coruna." Notably, researchers discovered Darksword hosted on the exact same servers utilized by the suspected Russian operators behind Coruna.
According to Google's threat analysis, Darksword is not limited to a single actor. Multiple commercial surveillance vendors and state-linked hackers have deployed the malware in distinct campaigns targeting individuals in Ukraine, Saudi Arabia, Turkey, and Malaysia. Google specifically associated the Malaysian and Turkish campaigns with PARS Defense, a commercial surveillance vendor based in Turkey.
“There’s now a verified pipeline of recent exploits that have ended up in the hands of potentially criminal entities with a financial focus,” Justin Albrecht, a principal researcher at Lookout, told Reuters.
Sloppy Operational Security
While the exploits themselves are highly sophisticated—historically the domain of elite state-level intelligence agencies—the deployment of Darksword was surprisingly reckless.
Rocky Cole, co-founder and COO of iVerify, noted that the attackers made rudimentary operational security errors, deploying the tools in mass attacks rather than highly targeted, stealth operations. “The fact that they don’t care if it gets burned... says a lot about how much they value these tools,” Cole stated, suggesting that the ecosystem for acquiring such powerful exploits has become increasingly robust and accessible to a wider range of threat actors.
In response to the findings, an Apple spokesperson emphasized that the exploits target out-of-date software and urged all users to update their operating systems immediately. Apple also confirmed that the malicious domains identified by Google have been blacklisted by the Safari web browser's Safe Browsing feature to prevent further infections.
Related Articles
