Hundreds of millions of Apple users are at risk of potential information theft due to the DarkSword software exploit, which targets iPhones still running iOS versions 18.4 to 18.6.2. In Ukraine, one of the sites redirecting to malicious code has a ".gov.ua" domain, meaning that attackers were able to hack a Ukrainian government server. This was reported by experts from iVerify and Lookout, according to UNN.
Details
As iVerify researchers note, they discovered a full-chain iOS exploit (a computer program, a fragment of program code, or a sequence of commands that exploit vulnerabilities in software and are designed to attack a computing system - ed.) to fully compromise devices.
According to researchers, the exploit is called DarkSword and targets, in particular, iPhones still running iOS versions 18.4 to 18.6.2.
These versions, released in 2025, are still running on 270 million devices. The attack was discovered thanks to a suspicious URL hosted on the same infrastructure that a Russian attacker used during the first known Corona attack against Ukraine, announced on March 3, 2026. Notably, one of the sites redirecting to the malicious payload has a ".gov.ua" address, meaning that the attacker managed to compromise a Ukrainian government server.
The experts noted that they cooperated with CERT-UA - a team for responding to cyber incidents, cyberattacks, and cyber threats, which operates as part of the State Service of Special Communications and Information Protection of Ukraine.
It is noted that DarkSword, written entirely in JavaScript, contains six vulnerabilities in two exploit chains that were fixed in stages, starting with iOS 26.3. Starting with WebKit and moving down to the kernel, it achieves a full iPhone compromise using methods never before publicly known.
Hackers breached 14,000 routers worldwide and turned them into a massive botnet14.03.26, 14:00
Unlike Coruna, which seemed to be primarily aimed at cryptocurrency theft, DarkSword appears to be a surveillance and intelligence gathering tool that extracts full data, including Wi-Fi passwords, text messages, call history, root location history, browser history, SIM card and cellular data, as well as health, notes, and calendar databases, although it also searches for crypto wallets.
Experts also emphasize that the Russian attacker who deployed DarkSword has very low operational security. He left the full JavaScript code unencrypted, unprotected, and easily accessible. This negligence, along with the negligence of the Chinese criminal group that used Coruna, led to both attacks eventually being exposed. DarkSword and Coruna exploits are easily repurposed and deployed, making it very likely that more and possibly modified deployments of DarkSword and Coruna spyware are actively infecting iOS users.
Given that the infiltration server code contained comments in Russian, and the exploit codebase contained original variable names and deployment instructions in English, the operator and developer are likely different individuals, suggesting independent acquisition of the exploit chain. Combined with low operational security, this suggests several different possibilities. First, the attacker is not worried about being caught, as there are few tools to actually detect these attacks on iOS. Second, the supply of iOS exploits is so large that the attacker is not worried about burning it. Third, the attacker does not realize the value of the exploit.
Ukrenergo warns of malware distribution disguised as outage schedules27.02.26, 21:11
Lookout experts note that DarkSword appears to use a "hit and run" approach, collecting and extracting targeted data from the device within seconds or at most minutes, followed by cleanup.
Exploit chains, similar to the one used in DarkSword, allow attackers to gain full access to a user's device with virtually no action on their part. These sophisticated and extremely expensive exploit kits are often considered technologies available only to state organizations and companies that create tools for law enforcement and intelligence agencies. The discovery of DarkSword and the previous Coruna prove that there is a secondary market for such exploits, which allows groups with more limited resources and motives, beyond targeted espionage, to obtain first-class exploits and use them against mobile users. Since mobile devices have access to everything from financial accounts to corporate data, this discovery once again highlights the need to protect them from the widest possible range of attack vectors.
Experts have discovered new spyware for iPhones that can affect millions of devices19.03.26, 02:00