Darksword Spyware Exposes Hundreds of Millions of iPhones to Data Theft
Security experts have issued a stark warning about a new spyware threat dubbed Darksword, which poses a severe risk to hundreds of millions of iPhones worldwide. This malicious software exploits vulnerabilities in Apple's iOS, allowing hackers to infiltrate devices and steal sensitive information, including personal data and cryptocurrency wallet details.
How Darksword Operates and Its Discovery
The spyware is delivered through problematic links hosted on dozens of websites, primarily targeting users in Ukraine. Researchers from cyber firms Lookout, iVerify, and Alphabet's Google coordinated analyses of Darksword, revealing it affects iPhones running iOS versions 18.4 to 18.6.2, released between March and August 2025. This marks the second major iOS exploit uncovered this month, following the earlier discovery of Coruna spyware, indicating a growing market for sophisticated malware.
Justin Albrecht, principal researcher at Lookout, highlighted the trend, stating, "There's now a verified pipeline of recent exploits that have ended up in the hands of potentially criminal entities with a financial focus." The malware has been linked to commercial vendors and suspected state-backed hackers, with campaigns observed in Saudi Arabia, Turkey, Malaysia, and Ukraine. Notably, Turkish commercial surveillance vendor PARS Defense was associated with activities in Malaysia and Turkey, though the company has not commented on the allegations.
Vulnerability Scope and User Risks
It remains unclear exactly how many iPhones are vulnerable, but estimates from iVerify and Lookout suggest between 220 million and 270 million devices still run exposed iOS versions. This high number is partly due to many users failing to install critical updates. Apple has addressed the underlying bugs in multiple fixes, but the persistence of outdated software leaves millions at risk.
An Apple spokesperson emphasized, "Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices." Additionally, Apple has blocked all malicious domains identified by Google through its Safe Browsing feature in Safari to prevent further exploitation.
Implications for Cybersecurity and State-Level Threats
The discovery of Darksword and Coruna this month points to a robust ecosystem for advanced hacking tools, previously limited to state-level intelligence operations. Rocky Cole, co-founder and COO of iVerify, noted, "The fact that they don't care if it gets burned, and that they're using them in mass attacks with poor operational security, says a lot about how much they value these tools." Researchers attributed the vulnerabilities to sloppy security mistakes uncommon in state-linked hacking, suggesting a shift towards more widespread, financially motivated attacks.
Darksword was found on internet servers also used by suspected Russian operators of Coruna, linking the two exploits and underscoring the interconnected nature of modern cyber threats. As the digital landscape evolves, this incident highlights the urgent need for heightened vigilance and proactive security measures among iPhone users globally.
