Overview
- Google’s Threat Intelligence Group, iVerify and Lookout on March 18 detailed DarkSword, a watering‑hole attack that compromises iPhones via Safari with no user action.
- The exploit chain targets iOS 18.4 through 18.6.2 and 18.7 variants, chaining six CVEs across WebKit, the kernel and dyld to enable fileless, short‑lived data theft.
- Operators left the full, unobfuscated DarkSword code on compromised Ukrainian sites, making reuse by other actors far easier.
- Campaigns observed since November 2025 hit users in Ukraine, Saudi Arabia, Malaysia and Turkey, with links to suspected Russian groups (UNC6353/UNC6748) and customers of Turkish vendor PARS Defense.
- Researchers estimate 220 million to 270 million iPhones still run exposed versions; Apple and browser vendors have blocked malicious domains, and Lockdown Mode blocks the observed attack.