A coordinated investigation by Google's Threat Intelligence Group, Lookout Threat Labs, and iVerify has exposed DarkSword — the most dangerous iPhone exploit kit discovered in years. Unlike previous iOS attacks that targeted journalists and activists, DarkSword is designed for mass exploitation. Up to 296 million iPhones may be vulnerable.

Here's everything you need to know — and exactly what to do right now.

What Is DarkSword?

DarkSword is a full-chain, zero-click iOS exploit kit that chains six separate vulnerabilities to achieve complete control of an iPhone. The attack requires no interaction from the victim — simply visiting a compromised website is enough.

🚨
**This is not a phishing scam.** DarkSword uses "watering hole" attacks on legitimate websites. You don't need to click anything or download anything. Just loading the page is enough to compromise your device.

Once inside, the malware deploys three JavaScript-based payloads — codenamed GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER — that exfiltrate your data in seconds before deleting themselves to avoid detection.

What DarkSword Steals

The exploit targets virtually everything on your iPhone:

Key Facts
  • **Photos and videos** — full camera roll access
  • **Passwords** — saved credentials and keychain data
  • **Crypto wallets** — targets 12+ exchanges (Coinbase, Binance, Kraken) and 7+ wallet apps (Ledger, MetaMask, Trezor)
  • **Messages** — iMessage, Telegram, WhatsApp, Signal
  • **Location history** — complete movement tracking
  • **Health data** — Apple Health records
  • **Browser history** — Safari and Chrome data
  • **iCloud Drive** — documents and files
  • **Wi-Fi passwords** — saved network credentials

Who's Behind the Attacks?

Three distinct threat actors have been identified using DarkSword since November 2025:

Threat Actor Suspected Origin Target Region Attack Method
UNC6353 Russia-linked Ukraine Compromised government and news sites
PARS Defense Turkey (commercial vendor) Turkey, Malaysia Surveillance-as-a-service clients
UNC6748 Commercial surveillance Saudi Arabia Fake Snapchat-themed watering hole
"Apple's messaging that iPhones are only attacked in rare, targeted cases is no longer accurate — everyone is at risk." — Rocky Cole, CEO, iVerify

Is Your iPhone Vulnerable?

221–296 million
iPhones potentially at risk worldwide
14.2–19%
share of all active iPhones affected
6 CVEs
chained vulnerabilities (3 were zero-days)
Seconds
time needed to exfiltrate your data

DarkSword targets iPhones running iOS 18.4 through 18.7. If your iPhone is on any of these versions, you are vulnerable.

To check your iOS version: go to Settings → General → About and look at the "iOS Version" field.

⚠️
**Still on iOS 18.4–18.7?** You are running vulnerable software. Update immediately using the steps below.

How to Protect Your iPhone Right Now

Step 1: Update iOS immediately

  1. Open Settings → General → Software Update
  2. Install the latest available update (iOS 26.3 patches all DarkSword vulnerabilities)
  3. Turn on Automatic Updates if not already enabled

Apple has also released backported patches for legacy devices:

  • iOS 15 devices received patches on March 11, 2026
  • iOS 16 devices received patches on March 11, 2026
  • Devices stuck on iOS 13 or 14 must upgrade to iOS 15 to receive protection

Step 2: Enable Lockdown Mode (high-risk users)

If you cannot update immediately, Apple's Lockdown Mode blocks DarkSword even on unpatched software:

  1. Go to Settings → Privacy & Security → Lockdown Mode
  2. Tap Turn On Lockdown Mode
  3. Restart your device
Pros
  • Completely blocks DarkSword exploit chain
  • Works even on unpatched iOS versions
  • No cost — built into iOS 16+
Cons
  • Disables some website features and attachments
  • Blocks FaceTime from unknown callers
  • Some apps may not function normally

Step 3: Additional security hardening

  • Enable two-factor authentication for your Apple ID (Settings → [Your Name] → Sign-In & Security)
  • Turn on Advanced Data Protection for iCloud (Settings → [Your Name] → iCloud → Advanced Data Protection)
  • Review app permissions — revoke location, microphone, and camera access for apps that don't need it
  • Avoid public Wi-Fi without a VPN — or use iCloud Private Relay
  • Check for signs of compromise — unusual battery drain, overheating, or unfamiliar network activity

Timeline: How DarkSword Unfolded

July 2025
Apple patches first vulnerability (CVE-2025-31277) in iOS 18.6, unaware of the broader chain
November 2025
DarkSword spotted in the wild; UNC6748 targets Saudi users, PARS Defense begins Turkey campaigns
November 2025
Apple patches kernel flaws (CVE-2025-43510, CVE-2025-43520) in iOS 26.1 and 18.7.2
December 2025
WebKit vulnerabilities (CVE-2025-43529, CVE-2025-14174) patched in iOS 26.2
February 2026
Final zero-day (CVE-2026-20700) patched in iOS 26.3
March 11, 2026
Apple releases emergency patches for legacy iOS 15 and 16 devices
March 18, 2026
Coordinated public disclosure by Google, Lookout, and iVerify

Why DarkSword Changes Everything

Previous iPhone exploits like Pegasus were precision weapons — expensive, used against specific high-value targets. DarkSword represents something far more dangerous: the industrialization of mobile spyware.

Security researchers found that parts of DarkSword's code show evidence of Large Language Model assistance, allowing rapid development and professional-grade documentation. The exploit kit was found sitting openly on compromised servers, so neatly documented that any hacker could copy and redeploy it.

ℹ️
**iPhone 17 owners:** Apple confirmed that its newest hardware and latest iOS completely mitigate DarkSword even before patches were released. If you're on the newest device with current software, you're protected.

What Happens Next

Security analysts expect three developments in the coming weeks:

  1. A race against time — now that DarkSword is publicly documented, unpatched iPhones face even greater risk as more actors adopt the technique
  2. Regulatory pressure — the involvement of commercial surveillance vendors like PARS Defense will fuel calls for stricter spyware-industry regulation internationally
  3. AI-powered exploits — the confirmed use of LLMs in DarkSword's development signals a new era where AI dramatically lowers the cost of creating zero-day exploit chains

The bottom line: if you own an iPhone, update it today. Not tomorrow. Today.