What we know so far: In recent weeks, security researchers have tracked a sweeping cyber campaign that quietly compromised dozens of Ukrainian websites to distribute a powerful iPhone exploit. The malware – named Darksword – is capable of stealing information from Apple devices on a scale that researchers say could put hundreds of millions of users worldwide at risk.
The discovery, announced Wednesday in coordinated reports from Lookout, iVerify, and Google's Threat Analysis Group, highlights a growing trade in high-end spyware once found mostly in state-backed espionage. Darksword marks the second iOS-targeting exploit uncovered this month, following the earlier disclosure of a separate tool known as Coruna. Both were traced to the same online infrastructure.
Justin Albrecht, a principal researcher at Lookout, told Reuters that there is now a verified pipeline of recent exploits that have fallen into the hands of potentially criminal entities with a financial focus. According to the companies' analyses, this handoff from covert government operations to commercial and criminal actors has accelerated.
Google said its researchers observed several hacking groups – some linked to private surveillance vendors and others suspected of acting on behalf of state interests – deploying Darksword in different parts of the world, including Saudi Arabia, Turkey, Malaysia, and Ukraine. The attacks in Turkey and Malaysia were associated with a Turkish firm called PARS Defense, which did not respond to requests for comment.
Lookout and iVerify found that the infected Ukrainian sites were used to deliver Darksword to iPhones running iOS 18.4 through 18.6.2, which were released between March and August 2025. While Apple has since patched the vulnerabilities Darksword relied on, the researchers estimated that as many as 220 to 270 million iPhones globally still run older software and remain potentially vulnerable – a problem compounded by uneven adoption of security updates.
What makes this discovery especially notable, researchers said, is the combination of technical skill and operational recklessness behind the attacks. Darksword was widely deployed, with poor security hygiene and reused infrastructure – traits that researchers say are uncommon in state-linked iPhone hacking. Rocky Cole, co-founder and COO of iVerify, said the discovery of two powerful iOS exploits in one month points to a robust ecosystem of tools once limited to state intelligence agencies.
Both Lookout and iVerify confirmed that the same servers hosting Darksword were linked to operators behind the earlier Coruna spyware, which some investigators suspect is linked to Russian involvement. Although researchers do not yet know the full number of devices affected, the two discoveries within the same month point to a maturing market for iOS exploits – where sophisticated malware once used for espionage is now traded and deployed at scale by a widening set of players.
New iPhone spyware Darksword spread through hacked websites, putting millions at risk
