The vulnerability known as Dark Sword It has become one of the most serious security incidents to have recently affected iPhones. Researchers from Google, iVerify, and Lookout have documented how this set of zero-click exploits It allows taking control of devices with iOS 18 simply by loading an infected web page, without the person having to press anything or open suspicious links.
The case has set off alarm bells in the European cybersecurity community, because hundreds of millions of iPhones Vulnerable versions of iOS 18 are still running around the world. Although Apple has already released fixes and emergency patches, adoption of the latest versions is slower than expected, partly due to doubts about how manage space, which maintains a considerable attack surface both in Europe and in other markets.
What exactly is DarkSword and why is it causing so much concern?
DarkSword is not a simple isolated flaw, but a complete attack kit for iOS Designed to compromise iPhones without user interaction. Technical analysis shows that the tool chains around six zero-day vulnerabilities to go from the Safari browser to the operating system kernel itself, obtaining enough privileges to access virtually all the information on the device.
The original campaign was detected in Dozens of legitimate Ukrainian websites that had been manipulated. Simply accessing one of those pages from an infected iPhone was enough to trigger the exploit chain in the background. From there, DarkSword could read iMessage, WhatsApp, and Telegram messages, review browsing history, view notes, calendar events, or even access records from Apple's Health app.
One of the elements that most worries researchers is that the attack has been deployed on a large scale and not only against high-profile targets. According to data collected by iVerify and Lookout, between 220 and 270 million iPhones They continue to use vulnerable versions of iOS 18, which in practice represents around 14-25% of the active iPhone fleet.
Furthermore, DarkSword relies on an architecture of post-exploitation modules—referred to by analysts with code names such as GHOSTBLADE, GHOSTKNIFE or GHOSTSABER— who are responsible for collecting and packaging stolen information in a very short time, something especially attractive for espionage campaigns and cryptocurrency theft.
How the attack works: from Safari to the iOS core
DarkSword operates by exploiting a chain of security vulnerabilities that are linked one after another. The primary entry point is the Safari browser or any component that renders web content. When a compromised page loads, code specifically designed to exploit vulnerabilities in the JavaScript engine and other browser components is executed.
Once that first phase is successful, the exploit progresses to deeper layers of the system, taking advantage of additional vulnerabilities until it achieves code execution with elevated privilegesWith that level of access, the attacker can read internal databases, extract password keychains, review conversations, and consult files that are normally protected even from the user's own apps.
The approach is of the type filelessIn other words, DarkSword avoids installing visible applications or persistent files. Instead, it hijacks operating system processes, executes malicious commands from memory, and erases all traces within minutes. This "hit and run" behavior makes detection extremely difficult, even for specialized solutions, because after a phone restart, there are hardly any clear signs of the intrusion.
This method of operation is reminiscent of classic techniques used in advanced computer attacks, but adapted to the Apple ecosystem. In fact, the researchers emphasize that No usual indicators of resident spyware were observedThis significantly changes the rules of the game for those who are used to looking for suspicious applications on their device.
Affected iOS versions and global reach
The first waves of DarkSword were primarily directed at iPhones with iOS 18Reports from Google, Lookout, and iVerify consistently point to versions between iOS 18.4 and iOS 18.6.2 as the most clearly compromised in the detected campaigns. Some analyses also mention the partial fix in iOS 18.7.2, while others place the complete closure of the vulnerability in iOS 26 and later.
In any case, the picture painted by the data is clear: A very high volume of devices are still running iOS 18This is either because their owners haven't upgraded to the latest versions or because they prefer to avoid interface changes. This situation not only affects users in conflict zones, but also millions of people in the European Union and Spain who use their iPhones daily for banking, digital identification, or electronic signatures.
Researchers have documented the use of DarkSword since at least 2025 lateAlthough the initial discovery occurred in Ukrainian domains, campaigns against targets in [unspecified] were soon detected. Saudi Arabia, Türkiye and MalaysiaIn several of these cases, the exploit was embedded in legitimate websites, such as news portals or administrative sites, taking advantage of their good reputation to go unnoticed.
In Europe, the risk is more indirect but no less significant: any user who visits compromised pages hosted outside of Europe, or who connects through international networks, can end up downloading the malicious code. Furthermore, the fact that DarkSword is a reusable kit increases the likelihood that it will eventually become integrated into [unclear/unclear]. broader cybercrime campaigns, including those aimed at stealing online bank accounts and cryptocurrency wallets used by European citizens.
Who is behind DarkSword and what is their relationship with Coruna?
A key piece to understanding the impact of DarkSword is its context. Earlier this month, the same Google and iVerify team made public another high-level attack kit known as Corunacapable of compromising iPhones from iOS 13 to iOS 17.2.1 through 23 chained vulnerabilities. Both exploit packages appeared on the same server infrastructureThis points to a common source or, at least, to collaboration between several actors.
Part of this arsenal is believed to have originated in the government-grade exploit market. Previous investigations cite the case of a former member of the Trenchant division, belonging to the defense contractor L3Harris, who admitted to having sold a series of vulnerabilities to a Russian intermediary known as Operation Zero. From there, the exploitation chains would have passed from state hands to less scrupulous criminal groups.
In the case of DarkSword, Google claims to have observed its use by commercial surveillance providers and by alleged hackers linked to state intelligence agencies. One of the campaigns specifically involves PARS Defense, a Turkish commercial surveillance company, in attacks targeting locations in Turkey and Malaysia.
Links to Russia are also present. Part of the code was deployed in compromised Ukrainian sitesAnd the researchers speak of operators connected to Russian interests who allegedly reused the exploit to combine political espionage and financial gain. The most striking detail is that the DarkSword code appeared on some servers. without obfuscation and with explanatory comments in EnglishThis makes it easier for other malicious actors to copy it, adapt it, and launch new campaigns.
The almost simultaneous release of Coruna and DarkSword illustrates the extent to which the iOS intrusion tool market is changing. What were once "sniper weapons" reserved for targeted operations against specific objectives are now transforming into a arsenal of mass use, with a potential reach that extends far beyond diplomatic or military circles.
What information can DarkSword steal from an iPhone?
Technical reports agree that DarkSword has the capacity to extract a very wide range of sensitive data. Once the intrusion is complete, post-exploitation modules can access stored passwords, authentication tokens, and cloud service credentialsThese include email accounts, social media, and access to financial services.
In the field of communications, the kit is prepared to collect messages and logs from iMessage, WhatsApp, and Telegramas well as other messaging applications that rely on the same internal databases. This allows for the reconstruction of past conversations, obtaining phone numbers and metadata about who is being spoken to and how often.
DarkSword also targets the more personal aspects of the device: photos, videos, browsing history, notes, calendar, and Health app dataThis is not just an abstract privacy issue; in many cases, this data allows for the profiling of daily routines, habits, approximate location, and even information about health status, something especially sensitive under strict European data protection regulations.
A priority objective is the cryptocurrency wallets and other digital assetsThe malware specifically targets credentials and keys associated with wallets, exchange platforms, and financial applications. Researchers have documented campaigns in which DarkSword operators used fraudulent cryptocurrency websites to facilitate the theft of funds, thus combining espionage and financial crime.
All of this is done in a relatively short time frame. The "fileless" design facilitates rapid attacks, in which the spyware gathers as much information as possible in the first few minutes after infection and then... cleans up a good part of his footprintsThis reduces the likelihood that the user will notice anything unusual about the phone's behavior.
Protective measures: updates, isolation mode, and best practices
In the face of an exploit of this magnitude, the main line of defense is, as simple as it sounds, Keep your iPhone updatedApple has been correcting the underlying vulnerabilities in several rounds: first with specific security updates for iOS 18, then with patches like iOS 18.7.2, and finally, closing the gaps in the more recent iOS 26 series.
In practice, the recommendation for any user in Spain or the rest of Europe is to access Settings> General> Software update and verify that the device is running the latest version available for its model. If the iPhone can be updated to iOS 26, it's best to do so as soon as possible. For devices still running iOS 18, it's essential to install all security patches released by Apple.
Another relevant layer of defense is the Lockdown ModeThis mode, initially designed for high-risk users—journalists, activists, public officials—has proven effective in blocking or at least significantly hindering exploitation networks like those used by DarkSword and Coruna. In fact, some of these kits choose to abort the intrusion if they detect that the device is in this mode, so as not to leave any trace that could facilitate the investigation.
Beyond updates and advanced features, there are a number of best practices that remain valid. Although in this particular campaign There's no need to click on strange links To avoid infection, it is advisable to limit exposure by visiting only trusted websites, avoiding unencrypted public Wi-Fi networks, and regularly reviewing system privacy and security settings.
For users handling large volumes of sensitive data or digital assets, it may make sense to rely on specialized monitoring tools such as those offered by companies in the mobile security sector. They are not a magic solution—especially with such stealthy attacks—but they can help detect anomalous behavior or vulnerable configurations.
The DarkSword case has also served as a reminder to many iPhone owners in Europe that out-of-the-box security is not foolproof. iOS remains one of the most robust mobile platforms, but state-level threats and high-budget exploit markets They are reaching a level of sophistication that requires extreme caution and taking security updates very seriously.
