A newly uncovered iPhone exploitation method known as DarkSword highlights a shift in how advanced mobile attacks are being deployed. Once reserved for highly targeted surveillance, these techniques are now being used more broadly, reaching large numbers of unsuspecting users through compromised websites and malicious links.
DarkSword is an exploit chain that combines multiple vulnerabilities in iOS and Safari to gain control of a device. It primarily affects iPhones running iOS 18.4 through 18.7. Unlike traditional attacks that require user interaction such as downloading an app, this method can infect a device simply by visiting a malicious or compromised website. This type of “drive-by” attack makes it especially dangerous, as users may not realize anything is wrong.
Security researchers from Google, iVerify, and Lookout have observed DarkSword being used by a range of actors, including state-backed groups and commercial surveillance vendors. Campaigns have been identified in countries such as Saudi Arabia, Turkey, Malaysia, and Ukraine. In some cases, attackers created fake websites—such as a Snapchat-themed platform—to lure victims. In others, legitimate websites, including news outlets and government pages, were quietly altered to deliver the exploit.
Once a device is compromised, attackers deploy malware such as Ghostblade, a JavaScript-based data stealer. This malware is capable of extracting a wide array of sensitive information. It can access messages from iMessage, WhatsApp, and Telegram; retrieve photos, contacts, and emails; and collect browsing history, notes, and calendar entries. It also targets financial data, including cryptocurrency wallet credentials and information from exchange apps like Coinbase or Binance.
One of the more concerning aspects of this malware is its “smash-and-grab” approach. Instead of maintaining long-term access to the device, it quickly gathers as much data as possible and then removes itself. This fileless technique leaves minimal traces, making detection difficult and allowing many victims to remain unaware of the breach.
Another factor contributing to the spread of DarkSword is how easily it can be reused. Researchers found that parts of the exploit code were left exposed on infected websites, complete with comments explaining how it works. This lowers the barrier for other attackers, who can adapt and deploy the tool with little effort. As a result, the exploit has already appeared across multiple campaigns and is likely to spread further.
The emergence of DarkSword follows closely behind another exploit toolkit known as Coruna, suggesting a growing marketplace for advanced hacking tools. These tools, once tightly controlled, are increasingly being sold or shared among different groups, including cybercriminals. This trend raises concerns about wider access to powerful exploits and their use beyond traditional espionage.
Despite the risks, there are effective ways for users to protect themselves. The most important step is keeping devices updated. Apple has released patches addressing the vulnerabilities used by DarkSword, and users running the latest versions of iOS are not affected. Enabling Lockdown Mode can provide additional protection, especially for individuals who may be at higher risk, such as journalists or activists.
Other precautions include avoiding suspicious links, using multi-factor authentication, and limiting the amount of sensitive data stored on mobile devices. Security tools and content blockers can also help reduce exposure to malicious websites, though they are not foolproof against advanced exploits.
DarkSword illustrates how mobile threats are evolving. As these tools become more accessible, everyday users are increasingly within reach of attacks that were once reserved for a select few.
This image is the property of The New Dispatch LLC and is not licenseable for external use without explicit written permission.
