Researchers from three cybersecurity firms confirmed on March 18, 2026 that a new iPhone exploit called DarkSword has been actively attacking devices since at least November 2025. It works silently, leaves almost no trace, and requires just one thing from you: visiting the wrong website.
An estimated 220 million iPhones — roughly 14% of all active iOS devices worldwide — are running software versions vulnerable to this attack, according to Lookout and iVerify.
The Attack Starts the Moment You Open a Web Page
You do not click a link. You do not download an app. You do not enter a password.
DarkSword is delivered through what security researchers call a “watering hole” attack — legitimate websites are silently compromised to deliver the exploit the moment a vulnerable iPhone visits them.
Two Ukrainian websites, including one ending in .gov.ua, were among those used to spread the exploit. A visitor with a vulnerable iPhone would have had no idea anything happened.
Once triggered, DarkSword breaks out of the iPhone’s WebContent sandbox, injects itself into a background system process called mediaplaybackd, then crafts direct kernel read/write access — essentially gaining full control of the device’s most protected areas.
The whole attack completes in seconds. DarkSword takes a “hit-and-run” approach: it extracts the targeted data within seconds or minutes, then cleans up after itself. By the time you put your phone down, it is already done.
What It Steals
The exploit deploys three separate data-theft tools, each with a specific job.
One targets saved passwords, cryptocurrency wallet apps, browser history, photos, and emails. A second gets into signed-in accounts, private messages, and live location history. A third executes code and performs broader data collection across the device.
DarkSword specifically targets a wide range of cryptocurrency wallet apps, hinting at a financially motivated threat actor behind at least part of the operation.
The exploit’s internal name — “DarkSword” — was found inside the code itself, in a line used to dump Wi-Fi passwords from the device.
This Is Not Amateur Work
What separates DarkSword from typical mobile threats is the level of investment behind it.
Exploit chains of this kind are often assumed to be technology only available to state-backed actors and companies that build tools for law enforcement and intelligence agencies.
The discoveries of DarkSword and the previously reported Coruna exploit prove that a secondary market exists for such tools — enabling groups with more limited resources and motives beyond targeted espionage to acquire and deploy top-tier exploits against everyday users.
In other words: tools once reserved for governments are now being resold and reused against regular iPhone owners.
Researchers at Lookout and Google’s Threat Intelligence Group linked DarkSword to a likely Russian threat actor, designated UNC6353, who previously deployed a separate iPhone exploit called Coruna — discovered just weeks earlier.
Confirmed targets span Ukraine, Saudi Arabia, Turkey, and Malaysia.
Why It Went Undetected for Four Months
DarkSword was first observed in late 2025, according to Google’s Threat Intelligence team. It was not publicly disclosed until March 18, 2026 — a gap of roughly four months.
The exploit chain is built entirely in JavaScript, contains no persistent binary implant, and disengages after successful data extraction — three design choices that make it extremely difficult to detect through conventional security scanning.
There is also no iOS equivalent of antivirus software to catch something like this in real time. iPhones are locked down by design, which stops most malware — but also limits the tools available to detect sophisticated threats when they do slip through.
Which iPhones Are Affected
The exploit targets iPhones running iOS 18.4 through iOS 18.7. Some configurations of early iOS 26 releases are also reportedly vulnerable.
According to iVerify, the only confirmed safe versions right now are iOS 18.7.6 and iOS 26.3 or later. Devices running iOS 18.7.3 or higher for the iOS 18 branch, and iOS 26.3 or higher, are not susceptible to this threat.
What is not yet confirmed: whether Apple will release backported patches for older iPhones that cannot run iOS 26 at all. That remains an open question as of publication.
What to Do Right Now
Open Settings → General → Software Update on your iPhone.
- If your phone supports iOS 26, install iOS 26.3.1 or later.
- If your phone only supports iOS 18, install iOS 18.7.6 at minimum.
- If you cannot update right now, go to Settings → Privacy & Security → Lockdown Mode and turn it on. This feature, available since iOS 16, restricts certain functions to significantly reduce the attack surface.
There is no iOS antivirus app that can detect DarkSword. However, if you have a Mac, Intego’s antivirus software can scan a connected iPhone for signs of spyware.
One thing to be clear about: if you are already on a safe iOS version, you are protected. The fix exists. The only question is whether you have applied it.
Why This Should Concern Every iPhone Owner
Most people assume iPhones are secure by default — and most of the time, that assumption is correct. But DarkSword illustrates a specific and growing problem: the gap between when Apple releases a patch and when users actually install it.
That gap, which can stretch months for many users, is exactly where attacks like DarkSword operate. The exploit ran for four months before public disclosure. It required no user interaction. It left no trace.
With mobile devices holding access to everything from financial accounts to enterprise data, this discovery underscores the need to protect them against the broadest spectrum of possible attack vectors.
Updating your phone takes three minutes. Not updating it can cost considerably more.
→ Check your iOS version now. Go to Settings → General → About and look at the iOS Version field. If it reads anything earlier than 18.7.6 or 26.3, treat this as urgent.
Are device makers doing enough to push critical security updates to users who delay them? That is the question DarkSword leaves unanswered.
