Overview
- Google, Lookout, and iVerify disclosed DarkSword, a web-based exploit kit that compromises iPhones running iOS 18.4–18.7 through drive-by visits to infected or compromised websites.
- DarkSword chains six Safari and iOS vulnerabilities to gain kernel access and quickly exfiltrate data, including messages, credentials, iCloud files, and cryptocurrency wallet information, before wiping traces.
- Researchers linked recent campaigns to suspected Russian‑aligned group UNC6353 and observed targeting in Ukraine, Saudi Arabia, Malaysia, and Turkey, with infrastructure overlaps tied to the earlier Coruna kit.
- Investigators say portions of DarkSword’s code were left exposed on compromised sites, raising the risk of reuse, and estimate roughly 220–270 million iPhones still run vulnerable iOS 18 builds.
- Apple confirms the underlying bugs were patched last year and says Lockdown Mode blocks these attacks, with an emergency update issued for older devices and malicious domains now blocked in Safari and Chrome.