Overview
- Researchers say a newer DarkSword build published on GitHub Monday is simple HTML and JavaScript that works "out of the box," a claim echoed by Google and iVerify as they warn low‑skill actors can now deploy it in minutes.
- DarkSword compromises an iPhone through Safari when a user visits a hacked site, chaining multiple bugs in WebKit and iOS to gain kernel‑level control without taps or downloads.
- The leaked toolkit is built to grab data fast and leave few traces, pulling keychain passwords, messages, photos, call logs, browsing data, location, health records, and crypto wallet credentials before cleaning up.
- Apple says devices on current software are protected and notes it shipped an emergency update on March 11 for iOS 15 and 16; users still on iOS 18.4 to 18.7 should update or turn on Lockdown Mode to block the exploit chain.
- The kit has been used since late 2025 by multiple operators in watering‑hole attacks tied to targets in Ukraine, Malaysia, Saudi Arabia, and Turkey, and Apple’s own stats suggest roughly a quarter of devices on iOS 18 remain at risk until updated.