You would expect a tool capable of silently breaking into hundreds of millions of iPhones to be locked away behind layers of encryption, traded in whispers on dark corners of the internet.
Instead, security researchers found it sitting openly on compromised Ukrainian websites, fully annotated, logically organized, and so neatly documented that, as one researcher put it, stealing the whole thing and pointing it at someone else’s server would take little more than a copy and paste.
The exploit kit, which researchers have named DarkSword, was discovered jointly by cybersecurity firm iVerify, mobile security company Lookout, and Google’s Threat Intelligence Group (GTIG). Their coordinated findings, published Wednesday, reveal a powerful iPhone attack framework that has already been deployed by multiple hacking groups across four countries and that remains a live threat to a large portion of iPhone users still running older versions of iOS.
A watering hole, not a sniper shot
Unlike the kind of precision hacking seen in targeted espionage operations, where a specific journalist or dissident gets a malicious link sent directly to their phone, DarkSword works as what researchers call a “watering hole” attack. The hackers compromise websites that their intended victims are already visiting, then sit back and wait for the targets to come to them.
In Ukraine, two such websites were found hosting the attack code: novosti[.]dn[.]ua, the website of the independent News of Donbas outlet, and 7aac[.]gov[.]ua, the official site of Ukraine’s Seventh Administrative Court of Appeals. Visitors to those sites on an unpatched iPhone running iOS 18.4 through 18.6.2 would have had their device silently compromised the moment the page loaded.
What it steals and what it doesn’t leave behind
Once DarkSword lands on a device, it doesn’t install itself in the traditional sense.
There is no new app, no rogue file quietly copying itself to your storage. Instead, it hijacks existing iOS system processes and uses them to do its dirty work. Researchers describe this as a fileless technique more commonly seen targeting Windows computers, and it is considerably harder to detect than conventional spyware.
Within minutes of infection, the tool siphons off a broad haul of sensitive data: passwords stored in iCloud Keychain, messages from iMessage, WhatsApp, and Telegram, browser history, photos, calendar entries, notes, health data, and email contents.
It also specifically targets cryptocurrency wallets scanning for apps like Coinbase, Binance, Kraken, MetaMask, Ledger, and Exodus, a detail that hints at financial motivation running alongside espionage goals.
Then it cleans up after itself. Crash logs are deleted, temporary files are erased, and the process exits. Reboot your phone, and DarkSword is gone, but so is your data.
From espionage tool to widespread threat
Researchers say DarkSword is no longer limited to a single group. The exploit has been observed in campaigns linked to suspected Russian actors, as well as other operations targeting users across different regions.
According to findings from the Google Threat Intelligence Group, the same tool has appeared in attacks across Ukraine, Saudi Arabia, Turkey, and Malaysia. This spread suggests the exploit is being shared or sold, rather than kept tightly controlled.
Experts believe this reflects a growing underground market where advanced hacking tools are traded and reused, making powerful capabilities more accessible than before.
Why this is a wake-up call
For years, high-end iPhone hacks were thought to be the exclusive tools of elite nation-states used against a handful of people. DarkSword proves that these zero-day exploits are now being sold on a secondary market to less sophisticated groups who are using them indiscriminately against the general public.
The code itself was found to be surprisingly “sloppy” in its deployment. The hackers left full, unencrypted versions of the code on public servers, including comments in the code that literally named the tool. One such comment found in the implant code used to steal Wi-Fi passwords read:
“const TAG = ‘DarkSword-WIFI-DUMP’;”
This lack of care suggests that these powerful tools are becoming easier and cheaper for criminals to acquire.
While Apple has already released patches in newer versions like iOS 26 and iOS 18.7.6, a huge portion of the world’s iPhone users haven’t updated yet. Estimates suggest that between 14.2% and 17.3% of all iPhones, roughly 221 million to 270 million devices, are currently vulnerable to this exploit chain.
An Apple spokesperson told WIRED that “every day Apple’s security teams around the world work tirelessly to protect users’ devices and data,” adding that “keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices.”
Immediate steps to protect yourself
- Update: Ensure you are running iOS 26.3.1 or iOS 18.7.6.
- Lockdown mode: If you are a high-risk target (like a journalist or activist), enabling “Lockdown Mode” in your settings provides a massive shield against these types of web-based attacks.
- Reboot: Since the malware is fileless, a simple restart will clear an active infection, though it won’t prevent you from being re-infected if you visit a compromised site again without updating.
Also read: Apple’s background security improvements show how the company is tightening WebKit and other behind-the-scenes defenses against emerging threats.
