Apple iPhone Spyware Alert: New DarkSword Hack Could Still Reach Millions of Unpatched Devices

Apple iPhone Spyware Alert: New DarkSword Hack Could Still Reach Millions of Unpatched Devices

March 19, 2026

CUPERTINO, California, March 19, 2026, 02:10 PDT.

Alphabet’s Google Threat Intelligence Group, along with mobile security outfits iVerify and Lookout, have flagged a fresh iPhone exploit chain they’re calling DarkSword. This one is capable of taking over devices running some iOS 18 builds simply by getting users onto a compromised site. They say the toolkit’s been in play since at least November, surfacing in campaigns linked to Saudi Arabia, Turkey, Malaysia, and Ukraine.

This marks the second iPhone spyware kit revealed this month, pointing to a growing market for Apple exploits outside the usual state-linked operators. Apple, for its part, said the flaws affected only “out-of-date software” and are addressed in newer releases. Reuters cited Lookout’s Justin Albrecht, who described “a verified pipeline of recent exploits,” and iVerify’s Rocky Cole, who noted that attackers didn’t seem “overly precious” about burning through these tools. Reuters

Google described DarkSword as a six-part exploit chain, not a lone vulnerability. The attack kicked off with malicious code running in Safari’s web engine, then managed to escape the browser’s sandbox, heading deeper into iOS with higher privileges. One infection route even nudged victims over from Chrome to Safari—pointing to an exploit kit designed specifically for Apple’s browser stack, not for mobile browsers in general.

iVerify traced a delivery route leading straight to two Ukrainian websites laced with a concealed iframe—essentially a miniature web page tucked inside the site—in what researchers describe as a waterhole attack. According to the firm, neither this campaign nor the earlier incident identified this month showed signs of targeting specific individuals.

After a device was compromised, Google reported that the GHOSTBLADE payload was able to extract iMessage content, WhatsApp and Telegram messages, contact lists, iCloud Drive files, notes, health records, Safari browsing history, and even crypto wallet data. iVerify put the number of potentially vulnerable devices at about 270 million, assuming most iOS 18 users haven’t updated to a secure version.

Still, the actual impact might end up less than the headline figures suggest. iVerify noted that it’s tough to gauge the full blast radius right now, but pointed out that Lockdown Mode and the recent Memory Integrity Enforcement on iPhone 17 devices would dampen the effect, even if attackers managed to hit those models.

Apple currently shows iOS 26.3.1 as the latest build for newer iPhones, while iPhone XS, XS Max, and XR users should see iOS 18.7.6, according to its support pages. Security firm iVerify is telling users to update to either 26.3.1 or 18.7.6, stating these releases address every vulnerability exploited in the latest attack chains.

On March 17, Apple rolled out its inaugural “Background Security Improvement”—a slimmer patch channel that sits between the broader operating-system updates. The move addressed a WebKit flaw in Safari’s underlying engine, which had left the door open for malicious web content to sidestep the Same Origin Policy. That policy normally keeps one website from accessing another’s data. Apple Support

The bigger issue might not be just a specific flaw, but rather who’s able to use these tools now. IDC Research Director Mike Jude, in a Lookout statement, put it bluntly: “mobile risk has become business risk.” Google, for its part, said DarkSword had turned up in the hands of both commercial surveillance firms and what it believes are state-backed operators—not just a single group of hackers. Business Wire

Mateusz Brzeziński

Mateusz Brzeziński is a financial and technology journalist at Bez-kabli.pl, covering stocks, artificial intelligence, semiconductors and global market developments. He graduated from the Prague University of Economics and Business in the Czech Republic and previously worked in financial analysis before moving into business journalism. His reporting focuses on the companies, technologies and market trends shaping the global economy.

Stock Market Today

  • ASX 200 Set to Slip as Oil Jumps on US-Iran Ceasefire News
    July 8, 2026, 6:59 PM EDT. The ASX 200 is seen falling after former President Donald Trump said the US-Iran ceasefire is off. Oil prices jumped on the news. Investors are watching how renewed geopolitical tensions could weigh on the index and drive moves in energy names.