Safety researchers have lately found an assault referred to as “DarkSword” that spreads malware to iPhones nonetheless on iOS 18.4 to 18.7.
On Wednesday, researchers from Google, Lookout, and iVerify warned concerning the assault, which makes use of a sequence of a number of software program vulnerabilities to remotely compromise susceptible iPhones.
Google additionally says “a number of industrial surveillance distributors and suspected state-sponsored actors” have been utilizing DarkSword since November to hit iPhone customers based mostly in Saudi Arabia, Turkey, Malaysia, and Ukraine.
The safety researchers found DarkSword whereas investigating one other iOS “exploit package” referred to as “Coruna,” which a US army contractor might have developed just for the software to fall into palms of cybercriminal teams. Disclosed earlier this month, Coruna also can hack iPhones, however solely these on older variations working iOS 13 to 17.2.1.
One of many attackers discovered utilizing Coruna was a suspected Russian hacking group referred to as UNC6353. The cellular safety supplier Lookout has since uncovered new proof that UNC6353 has additionally been utilizing DarkSword to focus on Ukrainian customers in an effort to steal delicate info, together with particulars about cryptocurrency wallets.
“Notably, DarkSword seems to take a ‘hit-and-run’ strategy by gathering and exfiltrating the focused information from the machine inside seconds or at most minutes adopted by cleanup,” the corporate’s report added.
(Lookout)
The safety supplier iVerify additionally says the assault works as a “1-click” exploit that may be hosted over an internet site to focus on susceptible iPhones that go to by means of the Safari browser. Nevertheless, UNC6353 appeared to solely ship the assault to iPhones with IP addresses based mostly in Ukraine. To ship the assault, the group tampered with two Ukrainian net domains, together with a gov.ua area, which is able to load malicious JavaScript to take advantage of the vulnerabilities. It does not seem like any interplay is required by the consumer outdoors of utilizing Safari to go to the web site.
Get Our Finest Tales!
Keep Secure With the Newest Safety Information and Updates
Join our SecurityWatch publication for our most vital privateness and safety tales delivered proper to your inbox.
Join our SecurityWatch publication for our most vital privateness and safety tales delivered proper to your inbox.
By clicking Signal Me Up, you verify you’re 16+ and comply with our Phrases of Use and Privateness
Coverage.
Thanks for signing up!
Your subscription has been confirmed. Control your inbox!
The ensuing assault will then set up malware designed to determine pockets recordsdata from cryptocurrency functions. ”The identify DarkSword comes from the variable inside implant code that extracts WiFi passwords from the system: const TAG = ‘DarkSword-WIFI-DUMP’” iVerify’s report added.
(Google)
Google’s investigation additionally discovered that makes use of of DarkSword hint again to November 2025. On the time, a unique hacking group was utilizing the assault by means of a pretend Snapchat website, however to hit customers based mostly in Saudi Arabia. Later, a Turkish surveillance vendor referred to as PARS Protection additionally used the exploit in Turkey and later in Malaysia to ship malware designed to create a backdoor.
(Google)
In response to Google, DarkSword can goal iPhones on iOS 18.4 to 18.7, which first arrived in March 2025 and September. Apple has since transitioned to iOS 26. In whole, the DarkSword assaults have been noticed utilizing six completely different vulnerabilities to deploy three distinct malware strains, Google’s report provides.
Advisable by Our Editors
Google says it reported the vulnerabilities to Apple late final 12 months. “All vulnerabilities had been patched with the discharge of iOS 26.3 (though most had been patched prior),” Google’s report says. Variations iOS 18.7.3 and better have additionally been patched in opposition to the risk.
Apple additionally advised PCMag it issued an emergency software program replace final week to guard older units that initially could not replace to newer variations of iOS. Customers working the newest variations of iOS 15 by means of iOS 26 at the moment are all protected. As well as, Apple famous that DarkSword does not seem to work on iPhones that’ve enabled Lockdown Mode, which customers can activate to forestall adware threats at the price of disabling sure options.
DarkSword underscores why it’s all the time a good suggestion to maintain your units up to date with the newest software program. The assault additionally raises issues that refined hacking instruments —as soon as thought-about unique to well-funded surveillance corporations— are proliferating amongst cybercriminals and different hacking teams.
“The discoveries of DarkSword and beforehand Coruna show that there’s a second-hand marketplace for such exploits that permits teams with extra restricted sources and motives aside from extremely focused espionage to amass top-of-the-line exploits and deploy them in opposition to cellular machine customers,” Lookout says.
About Our Knowledgeable
Michael Kan
Senior Reporter
Expertise
I have been a journalist for over 15 years. I received my begin as a faculties and cities reporter in Kansas Metropolis and joined PCMag in 2017, the place I cowl satellite tv for pc web companies, cybersecurity, PC {hardware}, and extra. I am at the moment based mostly in San Francisco, however beforehand spent over 5 years in China, protecting the nation’s expertise sector.
Since 2020, I’ve coated the launch and explosive development of SpaceX’s Starlink satellite tv for pc web service, writing 600+ tales on availability and have launches, but additionally the regulatory battles over the growth of satellite tv for pc constellations, fights with rival suppliers like AST SpaceMobile and Amazon, and the hassle to broaden into satellite-based cellular service. I’ve combed by means of FCC filings for the newest information and pushed to distant corners of California to check Starlink’s mobile service.
I additionally cowl cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this 12 months, the FTC pressured Avast to pay shoppers $16.5 million for secretly harvesting and promoting their private info to third-party purchasers, as revealed in my joint investigation with Motherboard.
I additionally cowl the PC graphics card market. Pandemic-era shortages led me to camp out in entrance of a Finest Purchase to get an RTX 3000. I am now following how President Trump’s tariffs will have an effect on the trade. I am all the time desirous to study extra, so please bounce within the feedback with suggestions and ship me suggestions.
Learn Full Bio
