A sophisticated new iPhone spyware campaign dubbed DarkSword is sweeping across the web, silently raiding devices when users simply visit a booby-trapped page. Researchers at Google’s Threat Analysis Group, alongside security firms Lookout and iVerify, say the drive‑by attacks chain multiple iOS vulnerabilities to steal troves of data without installing an app or requiring a tap beyond loading the site.
The tooling targets iOS 18.4 through 18.7, according to the teams analyzing the exploits. Apple’s own developer adoption figures indicate roughly 25% of active iPhones are on some iteration of iOS 18, a data point highlighted by reporting from Wired—putting hundreds of millions of devices in the potential blast radius.
- How DarkSword Works: A stealthy iOS drive‑by attack
- Who Is Being Targeted by the DarkSword iPhone campaign
- DarkSword’s scale and exposure across vulnerable iPhones
- What Apple and researchers say about DarkSword fixes
- What iPhone users should do now to reduce DarkSword risk
- Why this matters for iPhone security and mobile defense
How DarkSword Works: A stealthy iOS drive‑by attack
DarkSword operates as a classic watering‑hole attack: adversaries seed or compromise websites likely to attract specific targets, then use an exploit chain—almost certainly centered on the browser engine powering every iOS browser—to seize control. Visiting the page is enough for the spyware to begin harvesting data.
Unlike long‑term surveillance implants, DarkSword behaves like a smash‑and‑grab tool. Lookout’s analysis notes that once the malware finishes exfiltrating the data it wants, it removes its working files and exits. Dwell time is measured in minutes, not months, dramatically reducing forensic traces and making victim notification and attribution harder.
The scope of what can be siphoned is unusually broad. Investigators say DarkSword can access call logs, contacts, calendars, notes, photos and screenshots, precise location history, browsing history, and device identifiers. Critically, it can pull items from the device keychain, SIM and Wi‑Fi details, iCloud‑related content, and data from popular messaging apps including iMessage, WhatsApp, and Telegram—as well as credentials for cryptocurrency wallets.
Who Is Being Targeted by the DarkSword iPhone campaign
Early activity traced by Google indicates broad, geographically diverse operations. One November campaign targeted users in Saudi Arabia via a Snapchat‑themed lure called “Snapshare” that quietly infected devices while forwarding visitors to the real Snapchat site to mask the compromise.
More recent incidents leveraged compromised Ukrainian news outlets and official government websites to reach iPhone users inside the country. Google attributes these to a cluster it tracks as UNC6353, a group with suspected ties to Russian state interests. The same actor is believed to be linked to a prior iOS exploit kit known as Coruna, which went after devices on iOS 13 through 17—suggesting a sustained, evolving capability rather than a one‑off breakthrough.
DarkSword’s scale and exposure across vulnerable iPhones
The frictionless nature of DarkSword’s delivery is what elevates the risk. No prompts, profiles, or app installs are required; a single visit to a compromised page is enough. Because all iOS browsers rely on the same underlying engine, any in‑the‑wild WebKit bugs can have universal impact until patched. Short‑lived, file‑light execution also sidesteps many traditional indicators that defenders rely on.
Compounding the concern, researchers say operators have not tried especially hard to conceal their tooling—leaving enough artifacted code that others could potentially copy or repurpose it. That brazenness suggests a growing market for iOS exploit chains and confidence among well‑resourced actors that new variants will follow even after patches land.
What Apple and researchers say about DarkSword fixes
Google’s TAG, Lookout, and iVerify have shared technical details, indicators, and targeting patterns with Apple and relevant CERT teams to aid remediation. As is typical with browser‑based attacks, fixes are expected to arrive via iOS and WebKit security updates. Historically, Apple has moved quickly with Rapid Security Responses when active exploitation is confirmed.
What iPhone users should do now to reduce DarkSword risk
- Update immediately to the latest iOS release and enable both Automatic Updates and Rapid Security Responses. These patches generally close the underlying browser and kernel bugs that make drive‑by attacks possible.
- Consider turning on Lockdown Mode if you are at elevated risk or likely to be targeted via watering‑hole sites; it reduces attack surface in Safari and messaging. Rotate passwords for any accounts used on the device, enable strong multi‑factor authentication, and review your iCloud sessions and security settings. Clearing Safari website data can also cut off lingering session artifacts.
- Be skeptical of unsolicited links sent via social apps, SMS, or email, and favor navigating directly to trusted news and government portals rather than following embedded links. While private browsing is helpful, it does not neutralize an exploit chain; only patches do.
Why this matters for iPhone security and mobile defense
DarkSword underscores a sobering reality: top‑tier iOS exploit chains are no longer the exclusive domain of boutique surveillance vendors. The combination of high‑reach watering holes, rapid in‑memory data theft, and willingness to leave code behind points to an ecosystem where copycats can emerge quickly. For consumers, the best defense remains swift patching. For enterprises and governments, it is a reminder to treat mobile browsers as critical infrastructure—not just an app—and to invest in telemetry, user education, and rapid response plans tailored to the mobile threat surface.
