Google and other cybersecurity companies, including iVerify and Lookout, have identified a new iPhone hacking technique. This new spyware, known as DarkSword, can silently compromise devices simply by visiting an infected website, cybersecurity researchers have warned. The attack targets iPhones running older versions of iOS 18, which can extract sensitive personal data within minutes, raising concerns about the exposure of millions of users who have not updated their devices.

Researchers say the technique has already been used in multiple espionage campaigns and cybercrime operations across regions such as Eastern Europe, the Middle East, and Southeast Asia. While Apple has released security updates to mitigate the threat, experts warn that a significant number of users remain vulnerable.

“A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website. Hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable,” Rocky Cole, iVerify’s cofounder and CEO, told Wired.

What is DarkSword spyware and how does it work

DarkSword is a web-based iPhone exploitation technique that allows attackers to gain access to a device without requiring users to download an app or click on suspicious links. Instead, it is embedded in otherwise legitimate websites, such as news portals or government pages, and activates when a vulnerable iPhone visits the site.

Unlike traditional spyware, DarkSword uses a “fileless” approach. It leverages legitimate iOS system processes to access and extract data, making it harder to detect. “Instead of using a spyware payload to brute force your way through the file system-which leaves tons of artifacts of exploitation that are pretty easy to detect-this just uses system processes the way they’re meant to be used. And it leaves far fewer traces,” Cole told Wired.

The attack follows a “smash-and-grab” model, as researchers describe it. It does not persist on the device after a reboot but rapidly collects data within minutes of infection before disappearing. This makes forensic detection more difficult while still allowing attackers to harvest valuable information.

What data can be stolen from iPhones and who is behind DarkSword

According to Lookout, DarkSword can access a wide range of sensitive data. This includes passwords, photos, browser history, and data from apps such as iMessage, WhatsApp, and Telegram. It can also extract information from Calendar, Notes, and even Apple’s Health app. Additionally, the tool has been used to steal cryptocurrency wallet credentials, suggesting a possible financial motive in addition to espionage.

The origins of DarkSword remain unclear, but researchers believe it was likely developed by a commercial exploit broker rather than the hacker groups that deployed it. Evidence suggests that multiple hackersincluding a Russian state-linked group-have used the tool, and its code was found openly accessible on compromised websites, complete with documentation.

“That carelessness practically invites other hackers to pick up the tool and target other iPhone users. Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It’s as simple as that. It’s all nicely documented, also. It’s really too easy,” iVerify researcher Matthias Frielingsdorf told Wired.

Why DarkSword attack is raising concern

Security researchers note that DarkSword reflects a shift in how iPhone hacking tools are being used. Techniques that were once limited to targeted surveillance are now appearing in broader campaigns, potentially affecting a larger group of users.

“People assumed that it was just going to be journalists or activists or maybe an opposition politician that was targeted, and that this wasn’t a concern for a normal citizen. Now that we see iOS exploits being delivered through an unscrupulous broker, there’s a whole market here for this to get to cybercriminals,” Justin Albrecht of Lookout said.

The exposure of DarkSword’s code online also lowers the barrier for other attackers to reuse it, increasing the likelihood of further attacks.

How iPhone users can stay protected

Apple has released security updates addressing vulnerabilities exploited by DarkSword and related tools. The company has also recommended enabling Lockdown Mode, a stricter security setting designed to reduce exposure to targeted attacks.

In a statement to Wired, an Apple spokesperson said, “Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices.”

It is recommended that iPhone users update their devices to the latest version of iOS, avoid accessing untrusted websites, and consider installing mobile security tools to detect potential compromises.

As researchers continue to monitor the spread of DarkSword, the case illustrates the changing threat landscape for ordinary mobile phone users, driven by the evolution of exploit markets and the availability of attack tools.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!