Vulnerability DarkSword has become one of the most serious security flaws recently discovered in iPhoneThis is a chain of exploits for iOS capable of taking control of the mobile phone simply by loading a manipulated web page, without the user touching anything or seeing a warning on the screen.
This attack kit, analyzed by security teams from Google, iVerify and LookoutIt primarily affects iPhones still using iOS 18, specifically versions between 18.4 and 18.7. The risk is not theoretical: there are active campaigns, and it has been linked to commercial surveillance groups and actors with possible state support. It targets both individual users and people with high-value profiles., including those who manage cryptocurrencies from their mobile phones.
What is DarkSword and how does it exploit iOS?
DarkSword is a zero-click exploit targeting iOSIn other words, it's a set of vulnerabilities that allows an attacker to compromise a device without the user having to click on links, download files, or explicitly grant permissions. Simply visiting a compromised website in Safari or through the browser embedded in another app is enough to trigger the attack chain transparently.
According to the technical report published by Google's threat intelligence team (GTIG) along with iVerify and Lookout, The DarkSword chain contains at least six distinct security flaws., as shown in the analyses on critical bugs in macOS and iOS...even to the point of executing code with kernel privileges. This level of access is especially critical because it grants the attacker very deep control over the system, even above many security applications.
The researchers explained that the exploit was designed for devices with iOS 18 in versions such as 18.4, 18.6.2 or 18.7a range that at the time covered hundreds of millions of phones. Although Apple has been patching vulnerabilities in successive updates, a significant portion of the iPhone market remained locked to iOS 18 for months, opening a very wide window of opportunity for attackers. In particular, many of the fixes came in patches related to iOS 18.6 that mitigated several of the exploited vulnerabilities.
The most disturbing aspect of the investigation is that DarkSword does not hide behind sophisticated social engineeringThe user may be reading a news article on a legitimate website, or consulting an official portal, and the attack may be executed in the background if that site has been compromised.
Detected campaigns and objectives: from Ukraine to the crypto ecosystem
The first solid indications of DarkSword appeared on legitimate websites in Ukraine, where Google researchers located malicious code embedded in dozens of sitesincluding media outlets and websites of public bodies. From there, the campaign spread to other geopolitically sensitive areas.
GTIG and iVerify have attributed the use of this kit to multiple different actorsincluding commercial surveillance providers and groups allegedly linked to intelligence services. Among the countries where operations have been observed are Saudi Arabia, Türkiye, Malaysia and UkraineThis makes it clear that it was not an isolated experiment, but a campaign sustained over time.
One of the elements that has most concerned the digital financial sector is that The cryptocurrency ecosystem has become an explicit target.Binance, one of the world's largest exchanges, issued a specific alert for iPhone and iPad users after details of DarkSword were revealed, reminding them that the problem does not lie in a specific wallet or platform, but in the operating system layer itself.
The published analyses mention the associated malware family known as GHOSTBLADEwhich relies on the vulnerabilities exploited by DarkSword to deploy implants capable of collecting data relevant to cryptocurrency theft. Among these, researchers list system keychains, files in iCloud Drive, location histories, Wi-Fi network passwords, and, notably, Information related to cryptocurrency wallets and financial services accounts.
What data can it steal and why is it so difficult to detect?
Once the exploit chain is successfully executed, the attacker gains access to a massive amount of information. Reports from Lookout and Google indicate that DarkSword is poised to extract virtually everything that makes an iPhone valuable to the user: passwords, photos, contacts, iMessage, WhatsApp and Telegram histories, notes, calendars, Health app logs, browsing histories and account data stored in the keychain.
In economic terms, the tool focuses on cryptocurrency wallet credentials and data related to exchange servicesThis point explains much of the interest of purely economic criminal groups, who reuse government-level technologies to mount massive fund theft campaigns, often combined with fraudulent cryptocurrency websites.
Instead of installing a visible spyware app or traditional persistent spyware, DarkSword It applies "fileless" or fileless techniques.These characteristics are more typical of advanced malware on computers. This means that it hijacks legitimate system processes and operates in memory, acting during the first few minutes after infection to collect and exfiltrate data while leaving virtually no obvious traces.
By taking this approach, The infection may disappear after restarting the iPhone.While the data has already been copied, the incident goes unnoticed by the user and many security tools, leaving only a minimal trace in internal logs, which in some cases the malware itself explicitly attempts to delete to hinder forensic analysis.
Official warnings and Apple's response
Following the publication of the joint report by Google, iVerify, and Lookout, manufacturers and platforms began to issue coordinated alerts to iOS usersBinance issued an alert about a "critical exploit" and urged users to update immediately, stressing that any device that had gone through iOS 18.4 to 18.7 should be considered at risk if it had not been kept up to date.
A few days later, Apple published a support note acknowledging attacks based on malicious web content targeted at outdated versions of the system. In that statement, the company emphasized that keeping software up to date is the most important protection measure for the average user, and reminded users that current versions of iOS already include the necessary fixes. More information about the new features and patches of iOS 26.3 Expand on these details.
According to information provided by Google, All vulnerabilities associated with DarkSword were patched with iOS 26.3although several of them had been partially or fully patched in previous updates. Apple also mentions iOS 26.3.1 as a recent update with additional security improvements, available for compatible models.
In addition to the patches, the company emphasizes that the Lockdown ModeIntroduced to protect high-risk users, this feature helps mitigate such attacks by hardening how the system handles content received over the internet. Even so, Apple insists that the first line of defense is to update to the latest version of the operating system as soon as possible.
How many iPhones remain vulnerable and who is most at risk?
One of the most striking aspects of the DarkSword case is the size of the affected installed base. Estimates from iVerify, Lookout, and usage data cited by specialized media suggest that, At the height of the campaign, between 220 and 270 million iPhones were still running vulnerable versions of iOS 18In percentage terms, that represents between 14% and around a quarter of all active iPhones, according to various sources.
This discrepancy is partly explained by the reluctance of many users to make the jump to iOS 26whether out of habit, fear of interface changes, or because performance issues perceived in older models. In Europe and Spain, where the adoption of updates is usually higher than the global average but with large differences by age group and user type, this still leaves millions of devices with an insufficient layer of protection.
The most sensitive profiles are those that They handle critical information via telephone.: journalists, activists, public officials, managers, professionals who frequently travel to countries with high levels of surveillance and, of course, people who manage significant amounts of cryptocurrencies or financial assets from mobile apps.
Even so, research suggests that The scale of the campaigns means that we are no longer dealing with targeted sniper attacks.but rather in much broader scenarios where attacks target large groups of users by exploiting very powerful but relatively easy-to-reuse security vulnerabilities once they have been leaked.
Practical recommendations for iPhone users in Spain and Europe
The main message from the security teams and the manufacturer itself is direct: If your iPhone has been on iOS 18 and has not yet been updated to branch 26The prudent thing to do is to review the current version and update to iOS 26 and apply any available patches as soon as possible. The process is done from Settings > General > Software Update, and in most cases it only takes a few minutes.
For those with devices that do not support iOS 26, Apple has released specific security patches for previous versionsso that at least the most serious vulnerabilities associated with DarkSword are mitigated. They don't offer the same level of protection as the latest version, but they significantly reduce the attack surface. See the specific security patches published by Apple.
In European environments where the use of mobile phones for online banking and digital payments is widespread, it is also advisable to apply complementary measures: Activate Lock Mode if handling particularly sensitive informationLimit the number of apps with access to sensitive data, avoid browsing unknown websites from links received via messaging, and, if using cryptocurrency wallets, consider using hardware wallets disconnected from the phone to store large amounts.
Specialized tools like iVerify or mobile security solutions for businesses They can help detect signs of compromise, although in the specific case of Darksword, detection is complex due to its ephemeral nature and trace-erasing techniques. For individual users, staying informed about official Apple advisories and European cybersecurity agencies is a good complement.
However, the DarkSword case offers a clear lesson for the iPhone ecosystem: Government-level digital weapons no longer remain solely in the hands of a few intelligence services.Instead, they can escalate into widespread campaigns affecting millions of ordinary people, often without their knowledge. The difference between being an easy target and a much more complex one often boils down to something as unglamorous as keeping your operating system updated, strengthening your security settings, and distrusting the notion that "these things don't happen on iPhones."
