New DarkSword Spyware Targets iPhones via Websites, Steals Data Silently
DarkSword Spyware Hacks iPhones Through Websites, Steals Data

New DarkSword Spyware Targets iPhones via Websites, Steals Data Silently

Cybersecurity companies, including Google, iVerify, and Lookout, have identified a dangerous new iPhone hacking technique known as DarkSword. This spyware can silently compromise devices simply by visiting an infected website, raising alarms about the security of millions of users who have not updated their iPhones.

How DarkSword Exploits Vulnerabilities in Older iOS Versions

The attack specifically targets iPhones running older versions of iOS 18, extracting sensitive personal data within minutes. Researchers have warned that this technique has already been deployed in multiple espionage campaigns and cybercrime operations across regions such as Eastern Europe, the Middle East, and Southeast Asia. While Apple has released security updates to mitigate the threat, experts caution that a significant number of users remain vulnerable.

Rocky Cole, iVerify's cofounder and CEO, told Wired: "A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website. Hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable."

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

What Is DarkSword Spyware and How Does It Operate?

DarkSword is a web-based iPhone exploitation technique that allows attackers to gain access to a device without requiring users to download an app or click on suspicious links. Instead, it is embedded in otherwise legitimate websites, such as news portals or government pages, and activates when a vulnerable iPhone visits the site.

Unlike traditional spyware, DarkSword uses a "fileless" approach. It leverages legitimate iOS system processes to access and extract data, making it harder to detect. Cole explained: "Instead of using a spyware payload to brute force your way through the file system—which leaves tons of artifacts of exploitation that are pretty easy to detect—this just uses system processes the way they're meant to be used. And it leaves far fewer traces."

The attack follows a "smash-and-grab" model, as researchers describe it. It does not persist on the device after a reboot but rapidly collects data within minutes of infection before disappearing. This makes forensic detection more difficult while still allowing attackers to harvest valuable information.

Data at Risk and the Origins of DarkSword

According to Lookout, DarkSword can access a wide range of sensitive data, including:

  • Passwords and photos
  • Browser history and app data from iMessage, WhatsApp, and Telegram
  • Information from Calendar, Notes, and Apple’s Health app
  • Cryptocurrency wallet credentials, suggesting a possible financial motive

The origins of DarkSword remain unclear, but researchers believe it was likely developed by a commercial exploit broker rather than the hacker groups that deployed it. Evidence suggests that multiple hackers, including a Russian state-linked group, have used the tool, and its code was found openly accessible on compromised websites, complete with documentation.

Matthias Frielingsdorf, an iVerify researcher, told Wired: "That carelessness… practically invites other hackers to pick up the tool and target other iPhone users. Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It's as simple as that. It's all nicely documented, also. It's really too easy."

Why DarkSword Attack Is Raising Concern

Security researchers note that DarkSword reflects a shift in how iPhone hacking tools are being used. Techniques that were once limited to targeted surveillance are now appearing in broader campaigns, potentially affecting a larger group of users.

Justin Albrecht of Lookout said: "People assumed that it was just going to be journalists or activists or maybe an opposition politician that was targeted, and that this wasn't a concern for a normal citizen. Now that we see iOS exploits being delivered through an unscrupulous broker, there's a whole market here for this to get to cybercriminals."

Pickt after-article banner — collaborative shopping lists app with family illustration

The exposure of DarkSword’s code online also lowers the barrier for other attackers to reuse it, increasing the likelihood of further attacks.

How iPhone Users Can Stay Protected

Apple has released security updates addressing vulnerabilities exploited by DarkSword and related tools. The company has also recommended enabling Lockdown Mode, a stricter security setting designed to reduce exposure to targeted attacks.

In a statement to Wired, an Apple spokesperson said: "Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices."

It is recommended that iPhone users take the following steps to protect themselves:

  1. Update their devices to the latest version of iOS immediately
  2. Avoid accessing untrusted websites
  3. Consider installing mobile security tools to detect potential compromises

As researchers continue to monitor the spread of DarkSword, this case illustrates the changing threat landscape for ordinary mobile phone users, driven by the evolution of exploit markets and the availability of attack tools.