A sophisticated new iOS exploit chain known as DarkSword (sometimes styled Darksword) is raising alarms among iPhone users worldwide. Discovered and publicly detailed in mid-March 2026 by researchers from Google Threat Intelligence Group (GTIG), iVerify, and Lookout, this toolkit allows attackers to compromise vulnerable devices simply by visiting a malicious or compromised website — often with minimal or no further user interaction.
The threat follows closely on the heels of another powerful exploit kit called Coruna, which targeted much older iOS versions (13 through 17.2.1). Together, these developments highlight how advanced hacking tools are proliferating from commercial surveillance vendors and state-sponsored actors to a broader range of cybercriminals.
What Is DarkSword and How Does It Work?
DarkSword is a full-chain exploit that leverages six vulnerabilities in iOS, including several zero-days, to achieve kernel-level access on affected devices. It primarily targets iPhones running iOS 18.4 through 18.7 (with some reports noting effectiveness up to certain 18.7 sub-versions).
The attack vector is typically a watering-hole or compromised legitimate website. When a vulnerable iPhone loads the malicious page in Safari, the exploit chain triggers automatically or with a single interaction, bypassing many browser protections to gain deep system access.
Once inside, it deploys one of several malware payloads — including families dubbed GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER — that quickly extract sensitive data before cleaning up traces in a “hit-and-run” style operation. Stolen information can include:
- Saved passwords and credentials
- Text messages and call history
- Photos, notes, and health data
- Cryptocurrency wallet details
- Browser data and location information
Researchers have observed the toolkit in use since at least November 2025 against targets in countries including Ukraine, Saudi Arabia, Turkey, and Malaysia. It has been employed by suspected Russian espionage groups (such as UNC6353, which also used Coruna), commercial spyware vendors, and financially motivated actors.
Unlike traditional malware that requires downloading an app, DarkSword operates through the browser, making it particularly insidious. While some headlines sensationalize it as fully “zero-click” or “without any interaction,” real-world delivery often involves visiting an infected site, which can feel seamless to unaware users.
Connection to Coruna and the Bigger Picture
DarkSword mirrors the earlier Coruna exploit kit, which packed up to 23 vulnerabilities across five full chains and affected far older devices. Coruna similarly spread via compromised websites and was linked to both nation-state espionage and cryptocurrency theft campaigns.
The rapid emergence of these tools demonstrates a troubling trend: sophisticated iOS exploits developed for high-value surveillance are leaking or being repurposed into mass-exploitation kits available to a wider array of threat actors. This shift moves beyond highly targeted attacks (like those using Pegasus) toward broader campaigns that can ensnare hundreds of millions of devices still running outdated software.
Who Is at Risk?
The exploits do not affect the latest versions of iOS. DarkSword is ineffective on fully updated devices running iOS 26.3 or newer (and corresponding patches for the iOS 18 branch). Apple has patched the underlying vulnerabilities through releases including iOS 26.3 and earlier security updates in 2025–2026.
Risk remains high for anyone still on iOS 18.4–18.7, which accounted for a significant portion of active devices in early 2026. Older hardware that cannot upgrade to iOS 26 has also received targeted security patches from Apple to address these threats.
What You Should Do Immediately
Apple and the researchers strongly recommend the following steps:
- Update your iPhone right away — Go to Settings > General > Software Update and install the latest available version (iOS 26.3.1 or newer as of March 2026, or the most recent security patch for your device). Many of the vulnerabilities were fixed progressively, but running the newest release provides the most comprehensive protection.
- Enable Lockdown Mode if you are a high-risk user (journalists, activists, or anyone concerned about targeted surveillance). This feature, found in Settings > Privacy & Security > Lockdown Mode, restricts risky functionalities that these exploits rely on.
- Practice safe browsing — Avoid clicking suspicious links and be cautious on public Wi-Fi. Consider using a reputable VPN for added protection, though it does not replace keeping your OS updated.
- Monitor for signs of compromise — Unusual battery drain, overheating, unexpected data usage, or unfamiliar processes may warrant further investigation. Security apps from firms like iVerify or Lookout can help detect indicators of these specific threats in some cases.
- For very old devices — If your iPhone cannot run the latest iOS, install any available security updates (such as those released for iOS 15 and 16 branches addressing Coruna).
Apple has emphasized that these tools only work on outdated software and has urged all users to stay current. The company routinely patches vulnerabilities reported by researchers like Google’s team.
Final Thoughts
While headlines about “no-click” data theft can sound alarming, the core message is straightforward and empowering: keeping your iPhone updated is the most effective defense. iOS remains one of the more secure mobile platforms thanks to Apple’s rapid response to threats like DarkSword and Coruna, but unpatched devices are increasingly attractive targets as exploits proliferate.
Check your software version today and update if needed. Staying vigilant with basic security hygiene will protect your personal data from these and future campaigns. For the latest official guidance, visit Apple’s security update pages or support resources.
About The Author
