Security researchers have uncovered a sophisticated new spyware threat named Darksword that poses a significant risk to millions of Apple iPhones globally. This malicious software is designed to infiltrate devices and steal sensitive data, including cryptocurrency wallet information, marking a concerning escalation in cyber threats targeting mobile users.
Coordinated Discovery of the Darksword Threat
On Wednesday, March 18, 2026, cybersecurity firms Lookout, iVerify, and Alphabet's Google published coordinated analyses revealing the Darksword malware. This discovery comes just weeks after researchers identified another powerful iPhone spyware called Coruna earlier in March, indicating a troubling trend in the proliferation of advanced hacking tools.
Justin Albrecht, principal researcher with Lookout, emphasized the gravity of the situation, stating: "There's now a verified pipeline of recent exploits that have ended up in the hands of potentially criminal entities with a financial focus." This highlights how sophisticated malware previously associated with state-level intelligence operations is now becoming more accessible to financially motivated actors.
Global Campaigns and Vulnerable Devices
Google researchers observed multiple campaigns using Darksword against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The campaigns in Malaysia and Turkey were specifically linked to Turkish commercial surveillance vendor PARS Defense, though the company did not respond to requests for comment regarding these allegations.
According to iVerify and Lookout, the malware was delivered to iPhone users running iOS versions 18.4 to 18.6.2 who visited compromised Ukrainian websites. These iOS versions were released by Apple between March and August 2025, creating a substantial window of vulnerability for devices that haven't been updated.
Rocky Cole, co-founder and COO of iVerify, noted: "The discovery of two distinct powerful iOS exploits this month suggests a robust ecosystem for tools that were previously limited primarily to state-level intelligence operations." This shift represents a significant evolution in the cyber threat landscape.
The Scale of the Vulnerability
While the exact number of vulnerable iPhones remains unclear, researchers estimate that between 220 million and 270 million devices still run exposed iOS versions. This staggering figure is based on public estimates and reflects the persistent challenge of encouraging users to install security updates regularly.
An Apple spokesperson addressed the issue, stating: "Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices." The company confirmed that the exploits targeted "out-of-date software" and that underlying vulnerabilities have been addressed across multiple updates over recent years for users running the latest operating system versions.
Security Measures and Ongoing Risks
Apple has implemented protective measures, with all malicious domains identified by Google now blocked by Apple Safe Browsing in the Safari web browser to prevent further exploitation. However, the fundamental problem persists: many iPhone users delay or avoid installing critical security updates, leaving their devices exposed to sophisticated attacks like Darksword.
Researchers made an important observation about the nature of these attacks. They discovered the vulnerabilities due to security mistakes not typically associated with state-linked iPhone hacking operations. Mr. Cole explained: "The fact that they don't care if it gets burned, and that they're using them in mass attacks with poor operational security, that says a lot about how much they value these tools. They're not overly precious about them being exposed."
Interestingly, Darksword was found on the same internet servers that suspected Russian operators of the Coruna spyware used, according to findings from iVerify and Lookout. This connection suggests potential overlaps in infrastructure or operational relationships between different cyber threat actors.
The emergence of Darksword represents more than just another security vulnerability; it signals a maturation of the commercial spyware market and a broadening of access to sophisticated hacking tools. As financial motivations increasingly drive cyber attacks, the need for vigilant security practices and regular software updates becomes ever more critical for iPhone users worldwide.
