CUPERTINO, California, March 19, 2026, 02:10 PDT.
Alphabet’s Google Threat Intelligence Group, along with mobile security outfits iVerify and Lookout, have flagged a fresh iPhone exploit chain they’re calling DarkSword. This one is capable of taking over devices running some iOS 18 builds simply by getting users onto a compromised site. They say the toolkit’s been in play since at least November, surfacing in campaigns linked to Saudi Arabia, Turkey, Malaysia, and Ukraine. 1
This marks the second iPhone spyware kit revealed this month, pointing to a growing market for Apple exploits outside the usual state-linked operators. Apple, for its part, said the flaws affected only “out-of-date software” and are addressed in newer releases. Reuters cited Lookout’s Justin Albrecht, who described “a verified pipeline of recent exploits,” and iVerify’s Rocky Cole, who noted that attackers didn’t seem “overly precious” about burning through these tools. 2
Google described DarkSword as a six-part exploit chain, not a lone vulnerability. The attack kicked off with malicious code running in Safari’s web engine, then managed to escape the browser’s sandbox, heading deeper into iOS with higher privileges. One infection route even nudged victims over from Chrome to Safari—pointing to an exploit kit designed specifically for Apple’s browser stack, not for mobile browsers in general. 1
iVerify traced a delivery route leading straight to two Ukrainian websites laced with a concealed iframe—essentially a miniature web page tucked inside the site—in what researchers describe as a waterhole attack. According to the firm, neither this campaign nor the earlier incident identified this month showed signs of targeting specific individuals. 3
After a device was compromised, Google reported that the GHOSTBLADE payload was able to extract iMessage content, WhatsApp and Telegram messages, contact lists, iCloud Drive files, notes, health records, Safari browsing history, and even crypto wallet data. iVerify put the number of potentially vulnerable devices at about 270 million, assuming most iOS 18 users haven’t updated to a secure version. 1
Still, the actual impact might end up less than the headline figures suggest. iVerify noted that it’s tough to gauge the full blast radius right now, but pointed out that Lockdown Mode and the recent Memory Integrity Enforcement on iPhone 17 devices would dampen the effect, even if attackers managed to hit those models. 3
Apple currently shows iOS 26.3.1 as the latest build for newer iPhones, while iPhone XS, XS Max, and XR users should see iOS 18.7.6, according to its support pages. Security firm iVerify is telling users to update to either 26.3.1 or 18.7.6, stating these releases address every vulnerability exploited in the latest attack chains. 4
On March 17, Apple rolled out its inaugural “Background Security Improvement”—a slimmer patch channel that sits between the broader operating-system updates. The move addressed a WebKit flaw in Safari’s underlying engine, which had left the door open for malicious web content to sidestep the Same Origin Policy. That policy normally keeps one website from accessing another’s data. 5
The bigger issue might not be just a specific flaw, but rather who’s able to use these tools now. IDC Research Director Mike Jude, in a Lookout statement, put it bluntly: “mobile risk has become business risk.” Google, for its part, said DarkSword had turned up in the hands of both commercial surveillance firms and what it believes are state-backed operators—not just a single group of hackers. 6
