Cybersecurity firms have discovered a powerful new spyware tool, dubbed “DarkSword,” capable of compromising hundreds of millions of iPhones that have not been updated to the latest software.
An investigation conducted by Google, in collaboration with cybersecurity firms Lookout and iVerify, has revealed that hackers—including suspected state-sponsored actors—are using the malware to extract sensitive data from devices running older versions of iOS.
Researchers have observed DarkSword attacks targeting iPhone users in Ukraine, China, Saudi Arabia, Turkey, and Malaysia. While no attacks have been reported on American targets, experts warn that the vulnerability is widespread.
“This is a pretty significant threat,” said Damon McCoy, a professor and co-director of the Center for Cyber Security at New York University. “There’s still probably quite a few people that are still running this outdated version of iOS, and those people are quite vulnerable.”
What is DarkSword?
According to researchers, DarkSword is an “exploit chain”—a sophisticated cyberattack that combines multiple software vulnerabilities to infiltrate a device. The Google Threat Intelligence Group reported that DarkSword “uses six different vulnerabilities to fully compromise a vulnerable iOS device.”
The attack typically begins when a user clicks on a malicious link through the Safari web browser. Described as a “hit-and-run” tactic, the exploit extracts information within seconds or minutes before cleaning up its tracks.
Once a device is compromised, the tool acts as a surveillance and intelligence-gathering instrument. iVerify stated that it can harvest a wide range of data, including Wi-Fi passwords, text messages, call history, location history, browser history, and even data from health and calendar apps. Researchers also noted that the malware specifically searches for cryptocurrency wallets.
Which iPhones Are at Risk?
iPhones operating on iOS versions 18.4 to 18.7 are considered potentially vulnerable to the DarkSword exploit. Security firm iVerify estimates that this includes approximately 270 million devices worldwide.
How to Protect Your Device
Apple has emphasized that updating to the latest software is the most critical step users can take to secure their devices. The vulnerabilities exploited by DarkSword have been patched with the release of iOS 26, with additional protections rolled out in iOS 26.3.
“Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,” said Apple spokesperson Sarah O’Rourke.
For users who cannot update their devices—particularly those running older models—Apple and Google recommend enabling “Lockdown Mode.” This feature provides an “optional, extreme protection” designed for individuals who may be targeted by sophisticated digital threats.
Google has also added domains linked to the DarkSword attacks to its Safe Browsing service to help prevent users from navigating to compromised websites.
