The revelations stem from a collaborative investigation by Google’s threat intelligence team and cybersecurity firms Lookout and iVerify. Their reports highlight a coordinated strategy employing advanced exploit techniques, with some tied to state-sponsored actors.
What is DarkSword spyware?
Researchers characterize DarkSword as an exploit chain—not merely a single vulnerability, but a series of security flaws that work in conjunction. It leverages multiple software weaknesses to infiltrate a device and delve deeper into its system controls. According to Google, the tool employs six vulnerabilities simultaneously to fully compromise certain iPhones.
How the DarkSword attack functions
The initial entry point frequently involves Safari. McCoy informed TIME that a user might only need to click a link—a process termed a drive-by download—for the attack to commence. iVerify identified two compromised domains, including a .gov.ua domain: novosti.dn[.]ua and 7aac.gov[.]ua.
Once inside, access expands swiftly. Data can be extracted within seconds, after which the tool erases any signs of its presence and exits.
What data DarkSword spyware can access on iPhones
The potential reach is vast, as it is designed for surveillance. iVerify reports that it can extract:
- Wi-Fi credentials
- Messages
- Call logs
- Location history
- Browser data
- SIM and cellular details
- Health and Notes data
Cryptocurrency wallets may also be targeted.
Countries where DarkSword iPhone attacks have been detected
Researchers have noted activity in Ukraine, China, Saudi Arabia, Turkey, and Malaysia.
In one instance, a domain linked to the Ukrainian government appeared to be compromised. Another attack utilized a website that mimicked Snapchat to target users. No verified cases involving US users were documented in the findings.
Who may be behind the DarkSword attacks
This tool has reportedly been operational since at least November 2025. Google has associated its usage with commercial surveillance vendors and suspected state-affiliated groups.
Which iPhones are vulnerable to DarkSword attacks
iPhones running iOS versions 18.4 to 18.7 are considered vulnerable. iVerify estimates that this could impact approximately 270 million devices worldwide.
“This poses a significant threat,” stated Damon McCoy from New York University in his comments to TIME, especially for users on older iOS versions.
Updates and patches released to fix DarkSword vulnerabilities
Google has confirmed that the vulnerabilities associated with DarkSword have been resolved, with fixes deployed up to iOS 26.3. Older systems, including iOS 15 and 16, also received updates.
How to protect your iPhone from DarkSword spyware
The initial step is straightforward—ensure your device is updated. Apple has stated that keeping software current remains the most effective safeguard against such cyber threats.
For those unable to update, the company suggests enabling Lockdown Mode—a feature designed for users at high risk of advanced threats.
Additional safety measures and Google Safe Browsing update
Google has incorporated malicious domains linked to DarkSword into its Safe Browsing system.
Users should avoid unknown links and maintain their security settings. Whether you are at risk from these attacks largely depends on your software version. Devices with the latest updates are safeguarded; older ones may not be.
