DarkSword Spyware Threat: Millions of iPhone Users Potentially Exposed
New DarkSword spyware threatens millions of iPhone users worldwide, exploiting outdated iOS versions to silently steal sensitive personal and device data.
A newly identified spyware known as DarkSword has raised serious concerns among global cybersecurity experts, with millions of Apple iPhone users potentially at risk. Security researchers warn that the malware is capable of silently infiltrating vulnerable devices and extracting sensitive personal data without any visible signs.
The threat was jointly examined by cybersecurity firms Lookout and iVerify, along with Google. Their findings suggest that DarkSword is a highly sophisticated spyware strain, designed to exploit weaknesses in specific iOS versions and operate undetected.
According to the researchers, DarkSword has been discovered embedded within several legitimate Ukrainian websites, including at least one with a “.gov.ua” domain. This raises alarms about potential breaches in government-linked infrastructure. However, experts caution that the threat is unlikely to be limited to Ukraine alone.
The spyware specifically targets devices running iOS versions between 18.4 and 18.6.2, using what researchers described as “elegant techniques never publicly seen before.” Once a user visits an infected website, the malware can instantly compromise the device. It can then access a wide range of personal data, including Wi-Fi credentials, messages, call logs, browser activity, and even detailed location history.
Further investigations by Google revealed that DarkSword has been deployed in multiple campaigns across countries such as Saudi Arabia, Turkey, Malaysia, and Ukraine. Some of these operations have been linked to commercial surveillance entities, including Turkey-based firm PARS Defense, suggesting a broader and more organised use of the spyware.
Researchers have also noted similarities between DarkSword and another spyware called Coruna, which was identified earlier in March 2026. Both appear to share hosting infrastructure, pointing towards a potentially connected threat network. Security firm iVerify indicated that the underlying infrastructure may be linked to a Russia-based threat actor, although definitive attribution remains unclear.
Despite Apple releasing multiple security patches since these vulnerabilities were discovered, a large number of users may still be exposed. Estimates suggest that between 220 million and 270 million iPhones continue to operate on outdated software, leaving them open to exploitation.
Addressing the issue, an Apple spokesperson told Reuters, “Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices.” The company also confirmed that its Safe Browsing feature in Safari actively blocks malicious domains identified by Google, offering an additional layer of protection.
