A new and urgent threat hangs over hundreds of millions of iPhone users after someone published the DarkSword iOS exploit chain publicly on GitHub. Cybersecurity researchers warn the leak will allow virtually anyone — with no iOS expertise required — to weaponise a six-vulnerability chain that was previously the domain of nation-states and well-funded commercial spyware vendors.
What Is DarkSword?
DarkSword is an iOS exploit chain first identified by Google's Threat Intelligence Group (GTIG). It combines six distinct vulnerabilities across iOS and Safari in a chained attack that can compromise an iPhone via a single drive-by website visit — no user interaction beyond visiting a malicious or compromised legitimate website is required.
The exploit operates against iPhones running iOS 18.4 through 18.7, a range that encompasses a significant portion of actively used iPhone and iPad devices. Once a vulnerable device visits a controlled webpage, the chain executes automatically, deploying malware onto the device without any visible indication to the victim.
DarkSword has been used by multiple threat actors since late 2025, including:
- UNC6353 — assessed by Google as a suspected Russian state-sponsored group, which also leveraged the Coruna exploit kit
- Customers of PARS Defense — a Turkish commercial surveillance vendor
Campaigns have targeted individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. In the Saudi Arabian campaign, attackers deployed a fake Snapchat lookalike to lure victims.
The GitHub Leak
Following researcher disclosure of DarkSword campaigns, an unidentified party published a newer version of the exploit chain on GitHub. What makes this particularly alarming is the simplicity of the uploaded code — the exploit is written in plain HTML and JavaScript, with no compiled binaries or complex toolchains required.
According to researchers, someone could copy the files and host them on a server "in a couple of minutes to hours," with the exploits working out of the box. "There is no iOS expertise required," said one researcher. This is categorically different from the barriers that previously kept iPhone exploitation in the hands of well-resourced actors.
Allan Liska, field CISO at Recorded Future, described the leak's implications directly: "Right now, iPhone exploitations are among the most expensive to research/implement so they have been, largely, the realm of nation-states. If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface."
The Ghostblade Payload
The malware deployed by DarkSword in known campaigns is a JavaScript-based data-stealer called Ghostblade. Once installed, Ghostblade exfiltrates a comprehensive profile of the victim's device and digital life:
| Data Category | Specific Items |
|---|---|
| Identity | Unique device identifiers, SIM information, contacts |
| Communications | SMS and iMessage history, call history, Telegram and WhatsApp message history |
| Location & Activity | GPS location data, calendar entries, notes, Safari browsing history, Safari cookies |
| Credentials | Wi-Fi configuration and saved passwords, saved passwords from the iOS keychain |
| Files & Media | Photos, iCloud Drive files |
| Cryptocurrency | Targets apps for Coinbase, Binance, Kraken, Kucoin, OKX, Mexc; wallets including Ledger, Trezor, Metamask, Exodus, Uniswap, Phantom, Gnosis Safe |
| Health | Apple Health data |
| Applications | Full list of installed applications |
The breadth of Ghostblade's collection capabilities makes it a complete device compromise tool — not merely a surveillance instrument.
Scale of Exposure
Apple's own telemetry on device software distribution indicates that a substantial portion of actively used iPhones and iPads run iOS versions that would have been vulnerable before Apple's emergency patches. Researchers estimate the exposure potentially extends to hundreds of millions of devices globally, the majority of which are owned by ordinary users, not high-value targets previously in the crosshairs of commercial spyware vendors.
With the exploit now publicly available and trivial to deploy, the threat is no longer limited to journalists, activists, or government targets. Any user running an unpatched iOS version and visiting a compromised or malicious website is at risk.
What Users Should Do
Apple issued a security update addressing all six DarkSword vulnerabilities:
- iOS 26.3 or later — patches all DarkSword vulnerabilities for supported devices
- iOS 18.7.3 — emergency patch for older devices that cannot run iOS 26
Apple spokesperson Sarah O'Rourke confirmed the company was aware of the exploit and urged users: "Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products." Devices running the patched software are not at risk.
For users who believe they may be high-value targets — journalists, activists, legal advocates, executives handling sensitive information — enabling Lockdown Mode is strongly advised. Researchers confirmed Lockdown Mode would block the DarkSword attacks even on unpatched devices.
Immediate action items:
- Update to iOS 26.3 (or iOS 18.7.3 for older devices) immediately
- Enable automatic updates to avoid future exposure windows
- Enable Lockdown Mode if you are a likely surveillance target
- Avoid visiting unfamiliar or suspicious links, particularly in unsolicited messages
- Use iVerify or similar mobile threat detection apps to scan for indicators of compromise if you believe you may have been targeted