Researchers have uncovered a highly sophisticated cyberattack chain named DarkSword, targeting iPhone users.
Affects Users on iOS 18.4 to 18.6.2
Discovered by Lookout Threat Labs, DarkSword targets devices running iOS versions 18.4 through 18.6.2. One of the most striking aspects of the attack is its use of a "hit-and-run" technique. This method allows the malware to seize sensitive data from the device within minutes, then erase itself without a trace, making detection difficult. Stolen data includes user credentials, content from messaging apps, emails, iCloud data, and cryptocurrency wallets.
The research was conducted in collaboration with Google and iVerify. According to the investigation, DarkSword has been actively used since at least November 2025. A notable aspect of the attack is its adoption by various threat actors rather than a single group. Google has identified that both commercial spyware vendors and groups believed to be state-sponsored are utilizing this exploit chain. Target countries include Turkey, Saudi Arabia, Malaysia, and Ukraine.
The attack typically begins when users visit a malicious website. Technically, DarkSword is reported to bypass iOS's sandbox protection by exploiting vulnerabilities in Safari and WebGPU components. This allows attackers to execute code with elevated privileges on the device, gaining extensive access to both personal and corporate data. The malware targets a broad range of data, from SMS and iMessage content to WhatsApp and Telegram conversations, Wi-Fi passwords, and location history.
Apple is said to have patched the security vulnerabilities exploited by DarkSword in its latest iOS versions. Therefore, Lookout advises organizations and users to update their devices to at least iOS 18.7.3 or iOS 26.3.
0 Comments: