Apple users face security threats now that DarkSword spyware toolkit has been released on GitHub. This spyware makes it easier for novice hackers to exploit millions of iPhones and iPads. Google, Lookout, and iVerify security researchers state that the exploit kit is now publicly available and puts 25% of active iOS devices at risk, exposing them to data theft.
Key Takeaways:
- Public Leak: Due to the DarkSword code leak, attackers lacking any iOS experience can now use it.
- Affected Devices: iPhones and iPads operating on iOS 18.4, 18.5, 18.6, and 18.7 are at greater risk.
- Zero-Click Threat: This spyware is spread through ” watering hole ” attacks, meaning people can be infected just by visiting a compromised website.
- Data at Risk: This tool has the ability to steal sensitive information such as messages, photos, passwords, and cryptocurrency wallet information.
- Simple Fix: Devices can be fully protected by updating to iOS 26.3 or applying the latest emergency security patches for older models.
By exploiting six specific vulnerabilities, the DarkSword exploit chain successfully breaches Apple products. DarkSword does this as a fileless, ‘hit-and-run’ attack, meaning it will extract sensitive data and disappear without a trace after the computer performs a reboot. The DarkSword exploit chain who has initially been targeting users in Ukraine, Saudi Arabia, and Turkey, has now become widely available after a recent leak on GitHub.
How DarkSword infects devices
Unlike most phishing schemes and malware that require the user to download a file onto the device to initiate the attack, the DarkSword attack on the other hand, has a different triggering mechanism. An attack will trigger once a user opens the compromised website on Safari. The exploit goes after the JavaScriptCore engine to perform remote code execution. Attacks against the browser sandbox are known to provide high and/or kernel-level privileges to the OS.
Estimates made by the security firm, iVerify, suggest that the number of devices worldwide that are still running iOS 18 is approximately 270 million. Apple made updates to the operational vulnerabilities exposed in the OS during the end of 2025 and the beginning of 2026, but the pace of people updating their software is still an alarming level of unexploited vulnerabilities for hackers.
Protection and mitigationApple issued an emergency security update on March 11 for devices that cannot run the latest operating system. Users on iOS 15 or 16 should check for these specific patches immediately. For users with compatible hardware, moving to iOS 26 is the most effective defense.Experts also suggest enabling Lockdown Mode for individuals at higher risk, such as journalists or government officials. While DarkSword is sophisticated, it currently cannot bypass the strict security protocols of Lockdown Mode.
Frequently Asked Questions
Q1: Which iPhone models are most at risk?
A1: Any iPhone or iPad running iOS 18 versions between 18.4 and 18.7 is vulnerable. This includes older models like the iPhone 11 and 12 that users may not have updated recently.
Q2: How do I know if my iPhone is infected?
A2: Because DarkSword is a fileless exploit that cleans up its own traces, it is extremely difficult to detect. However, it does not persist after a restart. If you suspect a breach, reboot your device and update the software immediately.
Q3: Can the spyware steal my bank details?
A3: Yes, the toolkit is designed to scrape keychains, which store saved passwords, and it specifically looks for cryptocurrency wallet credentials and financial app data.
Q4: Is it safe to use Safari?
A4: Safari itself is not the problem, but the outdated versions of its underlying engine are. Updating your iOS also updates Safari with the necessary security fixes to block these exploits.
