Tim Cook-led Apple faces another serious malware threat to deal with, as researchers with cyber firm Lookout, mobile security firm iVerify and Google Threat Intelligence Group (GITG) came out with coordinated analyses of the threat element, dubbed “DarkSword.” On March 3, Google and iVerify revealed another powerful iPhone spyware called “Coruna.” It was later found that both the malware were hosted on the same server.
The recent revelation also brings back eerie memories of Pegasus, a sophisticated spyware developed by Israel’s NSO Group, that was designed for covert, remote installation on iOS and Android devices. It earned infamy for allegedly spying on journalists, activists, and government officials.
While a 2021 investigation by 17 media organisations, based on a leaked list of 50,000 potential targets, discussed the misuse of spyware, Apple had to file a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users.
Why are we bringing the Pegasus reference here? Cause DarkSword is another spyware, with links to Russia and Ukraine serving as its testing field.
A-Z of the threat
While identifying and mapping the presence of malware, Google researchers observed DarkSword emerging as a preferable medium for multiple commercial vendors and suspected state-linked hackers in their campaigns against targets in Saudi Arabia, Turkey, Malaysia and Ukraine.
In fact, the campaigns in Malaysia and Turkey were reportedly associated with Turkish commercial surveillance vendor PARS Defence. According to iVerify and Lookout, an estimated 220 million to 270 million iPhones still run exposed iOS versions, leaving them vulnerable to DarkSword attacks.
“In late November 2025, GTIG observed activity associated with the Turkish commercial surveillance vendor PARS Defence, where DarkSword was used in Turkey, with support for iOS 18.4-18.7. This campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim. Additionally, the obfuscated version of rce_loader.js used by PARS Defence fetched the correct RCE exploit depending on the detected iOS version,” the GTIG researchers said in their report.
About the Malaysia incident, the study observed, “Subsequently, in January 2026, GTIG observed additional activity in Malaysia associated with a different PARS Defence customer. In this case, we were able to collect a different loader used in the activity, which contains additional device fingerprinting logic, and also used the UID session storage check. This loader also uses the top.location.href redirect for targets that do not pass all of the checks like UNC6748 did, but also sets window.location.href to the same URL.”
IVerify and Lookout discovered the malware being delivered to iPhone users running iOS versions 18.4 to 18.6.2, which Apple released between March and August 2025. While researchers are trying to find the exact number of iPhones vulnerable to DarkSword attacks, Apple has already started taking action by releasing multiple fixes for the underlying bugs that attackers allegedly used to make.
To protect older iOS devices that can’t install the more up-to-date iOS, a critical security update went live on March 11. Users with devices running iOS 13 or iOS 14 need to update to iOS 15 to receive these critical protections.
DarkSword is unique among malware because it does not require the hacker’s target to download any malicious software or corrupted files. All the hackers need to do is download the DarkSword HTML and JavaScript infostealer named GhostBlade. The latter is the GhostKnife backdoor, which possesses the ability to extract a large amount of data. Along with the GhostSaber JavaScript, which executes code and also steals victims’ data. GhostBlade attacks and takes over a compromised website. If a user with an old version of iOS visits the domain, their device immediately becomes vulnerable.
The hacker will then have the freedom to steal confidential data such as passcodes, emails and private messages from the victim’s iPhone. According to Google’s cybersecurity researchers, the hacker group UNC6353, with suspected ties with the Russian government, previously deployed DarkSword on compromised Ukrainian government agency sites to target iPhone users within Ukraine. DarkSword wiped temporary files, stole data from the infected devices and made a quick exit, thereby making the whole surveillance operation a short-term one designed to evade detection.
However, the powerful mobile spyware has now spread its wings from elite espionage circles to a wider commercial and criminal marketplaces. And given the alleged involvement of Russia-linked cybercriminals in the DarkSword saga, the United States CISA (Cybersecurity and Infrastructure Security Agency) has added three of the six vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalogue of actively exploited security flaws, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices by April 3.
However, the story doesn’t end here, as fresh reports suggest that a newer version of DarkSword has been leaked and published on the code-sharing site GitHub. This will further allow hackers to easily use the DarkSword HTML and JavaScript infostealer and target iPhone users, who are running their devices on older versions of Apple’s operating systems.
IVerify’s co-founder Matthias Frielingsdorf believes that the new versions of DarkSword spyware share the same infrastructure as the ones he and his colleagues analysed previously, although the files are slightly different. The files uploaded to GitHub are uncomplicated, just HTML and JavaScript, he said, adding anyone can copy and paste them and host them on a server “in a couple minutes to hours.”
A security hobbyist who goes by the X (formerly Twitter) handle matteyeux claimed that he was able to hack an iPad mini tablet running iOS 18, the previous generation of the operating system that is vulnerable to DarkSword, using the “in the wild” DarkSword sample that is circulating online.
Apple races against time
Now, what should iPhone users do? Apple spokesperson Sarah O’Rourke, during an interaction with TechCrunch, advised Apple users to keep the software updated, which is the most important thing one can do to maintain the security of Apple products.
She further added that older iPhones running updated versions of iOS were not vulnerable to the DarkSword attacks.
Now, how to update the iOS? Users need to go to the iPhone’s settings app by tapping General, which will have the option called “Software Update.” However, Apple has also set up a separate method, with the name “Background Security Improvements,” for installing immediate security patches. This is located in “Privacy & Security” under Settings, from where the customers need to scroll to the bottom to find Background Security Improvements.
However, if measures don’t work, then, as per Apple’s recommendation, one needs to activate the iPhone’s Lockdown Mode. However, this mode has been made optional for the “very few individuals” who, because of their high-profile identity, might be personally targeted by some of the most sophisticated digital threats.
Apple has also reportedly blocked malicious domains (identified by Google) in the Safari web browser to prevent DarkSword from having further exploitation opportunities.
According to the tech giant, while users running iPhones through iOS 15 to iOS 26 are protected from DarkSword spyware, those using older iOS 13 or iOS 14 will have no other option but to update to iOS 15 to secure their devices. For these individuals, Apple will start sending alerts, asking the persons to install a “Critical Security Update” within the next few days.
Apple says that options like two-factor authentication for logins and ignoring unknown links or attachments should provide an additional layer of security for iPhone users.
Given the fact that the joint estimation of iVerify and Lookout sees an estimated 220 million to 270 million iPhones still having exposed iOS versions, it will be more than enough to keep Apple on its toes, as the tech giant races against time to ensure that a rogue mobile spyware doesn’t cause mayhem across the world.