Overview
- Lookout, iVerify and Google detailed DarkSword, a web-based exploit chain targeting iPhones running iOS 18.4 to 18.6.2 and planted on dozens of legitimate sites, notably in Ukraine.
- Apple says the underlying bugs were previously fixed and it issued an emergency update for older devices, while urging users to install the latest available iOS or use Lockdown Mode if at high risk.
- Researchers observed use by suspected Russian-linked operators and multiple commercial surveillance vendors in campaigns affecting users in Ukraine, Saudi Arabia, Malaysia and Turkey.
- The tool performs a rapid, fileless data grab through hijacked system processes, stealing items such as passwords, messages, photos, browser data, Health records and cryptocurrency wallet credentials, then disappearing on reboot.
- Investigators found DarkSword’s unobfuscated source code left accessible on compromised servers, and estimate 220 million to 270 million iPhones remain exposed if not updated; browser and security teams have blocked known malicious domains.