DarkSword Vulnerability Exposes Millions of iPhone Users to Security Threats
A newly disclosed iPhone exploit chain called DarkSword has been actively used by Russian-linked hackers and commercial surveillance vendors to silently steal data from devices running iOS 18.
Security researchers at Google’s Threat Intelligence Group and others disclosed on March 18 a sophisticated iPhone exploit chain called DarkSword, which has been actively deployed by Russian state-linked hackers and commercial surveillance vendors against users across four countries.
As first reported by a Wired reporter, the exploit chain targets vulnerabilities in iOS 18, a version still running on roughly a quarter of all active iPhones worldwide.
The exploit requires no app installation and no user interaction beyond visiting a compromised website, making it one of the most operationally dangerous iOS threats disclosed in recent years.
DarkSword iOS Exploit Chain: How the Attack Works
DarkSword is a full-chain exploit that strings together six distinct vulnerabilities in the iOS, four of which were zero-days at the time of deployment, to achieve complete device compromise entirely through JavaScript, according to Google’s Threat Intelligence Group (GTIG) blog post.
The attack starts when an iPhone user visits a compromised website in Safari. A hidden file on the page silently runs JavaScript code that exploits a flaw in JavaScriptCore, Apple’s web rendering engine, giving the attacker initial access. The exploit then moves through multiple layers of Safari’s security protections to gain full control over the device’s core system functions.
Once active, the exploit installs three backdoors, GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, which can collect messages, location history, account passwords, cryptocurrency wallet information, photos, and recordings.
As XDA Developers reported, the stolen data is sent to attacker-controlled servers using a special encrypted protocol based on ECDH and AES, which helps hide the data transfer and makes it hard to detect.
Unlike traditional spyware, DarkSword does not persist on the device; a simple reboot clears the infection, though by then the damage may already be done.
Russian Hackers, Turkish Vendors, and a Growing Exploit Market
Researchers first detected DarkSword being used by hackers in November 2025. A Russian state-sponsored hacking group embedded the exploit chain in several legitimate Ukrainian websites, infecting iOS 18 users who visited them.
According to Hackers News, Google attributed this campaign to a group tracked as UNC6353, a suspected Russian espionage actor. The activity continued through March 2026 in watering hole attacks, deploying the GHOSTBLADE malware to exfiltrate data from compromised targets.
The exploit was not limited to one actor. In late November 2025, Google’s Threat Intelligence Group observed Turkish surveillance vendor PARS Defense using DarkSword against Turkish iOS users, and in January 2026, a separate PARS Defense customer targeted victims in Malaysia.
According to The Verge, in a significant operational security failure, the Russian hackers left the complete, uncommented DarkSword code openly accessible on compromised sites, with English‑language notes explaining each component and even the tool’s name.
The vulnerable iPhone versions include iOS 18.4 through 18.6.2, widely deployed during 2025, while newer patched devices are protected. Tom’s Guide reported that over 220 million iPhones could remain exposed if users do not update, highlighting the large scale of the risk.
Researchers, Apple, and Industry Sound the Alarm
Cybersecurity researchers have raised alarms about DarkSword, a sophisticated iPhone exploit actively used in real-world attacks.
SiliconAngle quotes security analyst Steve Cobb, who said the exploit highlights how mobile devices have become primary targets for sensitive data exfiltration, especially as business-critical workflows consolidate onto phones.
Reports from AppleInsider note that Apple has patched the vulnerabilities and blocked malicious domains, but many devices remain exposed because users have not installed the latest iOS updates.
Reuters reports DarkSword attacks in Ukraine, Saudi Arabia, Turkey, and Malaysia involve suspected state-backed actors and commercial vendors, with analysts warning the exposed code could be reused, threatening millions of iPhones globally.
The iOS Safety Consequences
DarkSword’s emergence reflects a pattern where iPhone exploits move quickly between operators, each using different infrastructure and delivery methods, but the same core path.
Tom’s Guide noted iVerify research shows only iOS 18.7.6 and iOS 26.3 and above are safe, leaving some earlier iOS 26 versions exploitable.
For enterprises, risks extend beyond devices. Lookout research shows DarkSword can extract sensitive data and credentials, potentially enabling access to SaaS platforms, cloud systems, and partner networks. The report added that DarkSword and Coruna show signs of development assisted by a large language model, lowering barriers to advanced iOS exploits.
What’s Next For iPhone Users
Apple has confirmed all six DarkSword vulnerabilities are patched in iOS 26.3.1 and iOS 18.7.6; users should update immediately via their iPhone’s settings. For devices that cannot upgrade, AppleInsider reported that Apple has previously backported security fixes to older hardware, though no official confirmation for DarkSword has been made yet.
Apple’s Lockdown Mode, available in iOS Settings, has been reported to block the DarkSword exploit chain entirely. Security researchers recommend it as the primary safeguard for users at elevated risk of targeted attacks.
