Up to 270 million iPhones worldwide remain vulnerable to a sophisticated hacking tool deployed by Russian state-sponsored actors, marking a significant escalation in mobile espionage campaigns that blur the line between state surveillance and financially motivated cybercrime. "A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website," said Rocky Cole, cofounder and COO of iVerify. "Hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable." Google Threat Intelligence Group, alongside cybersecurity firms Lookout and iVerify, revealed Wednesday that the exploit kit—dubbed DarkSword—has been used in targeted attacks against users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The discovery highlights how advanced hacking techniques once reserved for carefully selected targets are now proliferating through commercial channels to a broader range of threat actors. ## How the Attack Works DarkSword operates as what researchers call a "full-chain exploit kit"—a sequence of six interconnected vulnerabilities that systematically break through iOS security layers. Several of these were previously unknown zero-day flaws when discovered. The attack requires no user interaction beyond visiting a compromised website. Unlike traditional malware that needs users to download malicious apps or click suspicious links, DarkSword is embedded in otherwise legitimate web pages and activates automatically when a vulnerable iPhone loads the site. The technique exploits Safari through watering hole attacks—a method where attackers compromise websites frequented by target groups. Lookout researchers identified two compromised Ukrainian domains used in the campaign: novosti.dn[.]ua, a news site covering the Donbas region, and 7aac.gov[.]ua, an official Ukrainian government website belonging to the Seventh Administrative Court of Appeals. The malicious infrastructure was traced to static.cdncounter[.]net, which served as the delivery mechanism for the exploit chain. Once inside, DarkSword escalates privileges to the kernel level and deploys payloads identified as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER to harvest data. Rather than installing persistent spyware, it uses a fileless technique—hijacking legitimate iOS system processes to extract information, then cleaning up traces before vanishing. "Instead of using a spyware payload to brute force your way through the file system—which leaves tons of artifacts of exploitation that are pretty easy to detect—this just uses system processes the way they're meant to be used," Cole explained. "And it leaves far fewer traces." The approach is described by researchers as a "smash-and-grab" model—extracting sensitive data within minutes of infection before the malware disappears, making forensic detection significantly more difficult. ## Scale of the Threat The exploit chain targets iOS versions 18.4 through 18.7, releases that shipped between March and September 2025. Security researchers estimate that between 220 million and 270 million iPhones worldwide continue running these exposed versions, according to iVerify and Lookout. According to both Apple's own statistics and industry tracking data, close to a quarter of all iPhone users remain on iOS 18 broadly, with a subset of those—running the specific vulnerable versions—facing the DarkSword threat directly. ## Data at Risk The scope of information DarkSword can exfiltrate is extensive: - Text messages from iMessage, WhatsApp, and Telegram - Location history and tracking data - Wi-Fi passwords and network credentials - Browser history and Safari data - Call history and phone logs - Photos and media files - SIM card and cellular network details - Health app data, Calendar, and Notes databases - Cryptocurrency wallet credentials The inclusion of cryptocurrency theft capabilities alongside traditional espionage data points to a troubling convergence—state-sponsored actors apparently running parallel financial crime operations. Cryptocurrency exchanges and wallets targeted include Coinbase, Binance, Kraken, Ledger, Trezor, Metamask, Exodus, and others. ## Attribution and Proliferation The attacks demonstrate a concerning pattern of exploit commercialization. Researchers observed DarkSword being deployed by multiple distinct groups: - A Russian state-linked espionage group tracked as UNC6353, which used it against Ukrainian targets - Commercial surveillance vendors, with attacks in Turkey and Malaysia associated with Turkish firm PARS Defense - Additional threat actors targeting Saudi Arabian users Evidence strongly suggests DarkSword was developed by a commercial exploit broker rather than the groups deploying it. The code contains English-language comments explaining each component—documentation intended for customers rather than developers. Perhaps most troubling, the Russian actors who used DarkSword left the full exploit code openly accessible on compromised websites, complete with explanatory documentation. "Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It's as simple as that," said Matthias Frielingsdorf, a researcher at iVerify. "It's all nicely documented, also. It's really too easy." This follows the pattern of Coruna, another powerful iOS exploit kit revealed earlier this month, which was created by Trenchant—a subsidiary of US defense contractor L3Harris—and subsequently sold through a Russian broker firm called Operation Zero, now under US government sanctions. ## Apple's Response Apple has patched all known vulnerabilities exploited by DarkSword in iOS 26.3 and released emergency updates for older devices that cannot run the latest operating system. The company also introduced its first-ever Background Security Improvements (BSI) update—a new mechanism for delivering lightweight security patches between major update cycles. The initial BSI release addressed a WebKit vulnerability (CVE-2026-20643) involving a cross-origin issue in the Navigation API that could allow malicious web content to bypass the Same Origin Policy. BSI updates replace the previous Rapid Security Response system, which Apple retired after a 2023 update caused rendering issues. The new system requires only a quick restart rather than a full reboot, enabling faster security patch deployment. "Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices," an Apple spokesperson stated. The company confirmed that all malicious domains identified by researchers are now blocked through Apple Safe Browsing in Safari. ## Federal Mandate The Cybersecurity and Infrastructure Security Agency (CISA) has added DarkSword-related vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating federal agencies to remediate the flaws by April 3, 2026. The catalog additions include: | CVE ID | Severity | Description | |--------|----------|-------------| | CVE-2025-31277 | High | Apple Multiple Products Buffer Overflow | | CVE-2025-43510 | High | Apple Products Improper Locking Vulnerability | | CVE-2025-43520 | Medium | Apple Products Classic Buffer Overflow | ## The Changing Threat Landscape The emergence of DarkSword, just weeks after the Coruna revelations, signals a fundamental shift in mobile security. Sophisticated iOS exploits that once required nation-state resources are now available through commercial channels, deployed with increasingly reckless operational security. "People assumed that it was just going to be journalists or activists or maybe an opposition politician that was targeted, and that this wasn't a concern for a normal citizen," said Justin Albrecht, principal researcher at Lookout. "Now that we see iOS exploits being delivered through an unscrupulous broker, there's a whole market here for this to get to cybercriminals." The carelessness with which these tools are now deployed suggests attackers view them as expendable commodities. As Cole noted: "If this one gets burned, I'll just go get another one. They know there's more where this came from." For users, the message is unambiguous: update immediately. Those unable to upgrade to iOS 26 should enable Lockdown Mode—a stricter security setting that reduces the attack surface for sophisticated threats. The era of assuming mobile devices were immune to mass attacks is officially over.