Russian threat actors with both financial and espionage objectives have deployed DarkSword, a comprehensive toolkit that compromises iPhones through watering hole attacks. The exploit affects newer iOS versions and could potentially impact hundreds of millions of devices, representing a significant escalation in mobile security threats.
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors. Researchers at Lookout Threat Labs discovered DarkSword while investigating the infrastructure used for the Coruna attacks, an earlier exploit kit disclosed on March 3. One of the sites redirecting to the malicious payload is a .gov.ua address, meaning the threat actor managed to compromise the Ukrainian government server.
The mechanics of the attack are particularly troubling. Since at least November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have utilised DarkSword in distinct campaigns. Upon navigation to a malicious website on an iPhone with a vulnerable iOS version and IP address from Ukraine, the exploit was triggered in what researchers describe as a waterhole attack, recovering a complete 1-click exploit kit with additional Safari exploit, sandbox escape, privilege escalation, and in-memory implants designed to exfiltrate sensitive data from compromised phones.
Once deployed, DarkSword operates with ruthless efficiency. It rapidly collects and exfiltrates identity and communications data including SMS/iMessage, WhatsApp/Telegram, email, and saved credentials; corporate and personal data including iCloud files, notes, photos, and cryptocurrency wallets; and device intelligence including WiFi credentials, location history, and call logs. The exploit takes a hit-and-run approach by collecting and exfiltrating the targeted data from the device within seconds or at most minutes followed by cleanup.
The scope of potential victims is staggering. iVerify estimated up to 270 million iPhone users could be susceptible, while Lookout reported roughly 15 percent of all iOS devices currently in use are running iOS 18 or earlier versions and could be vulnerable to the exploit kit. However, the geographic targeting suggests attackers did not attempt a truly global campaign; initial infections were concentrated in Ukraine.
What makes this discovery particularly concerning is not merely the exploit's power but what it reveals about the security ecosystem. The discoveries of DarkSword and previously Coruna prove that there is a second-hand market for such exploits that enables groups with more limited resources and motives other than highly targeted espionage to acquire top-of-the-line exploits and deploy them against mobile device users. This mirrors the 2017 theft of the NSA's EternalBlue Windows exploit, which subsequently fuelled the WannaCry ransomware attack.
Curiously, the attackers were careless with their tradecraft. None of the JavaScript or HTML code was obfuscated in any way, and the server-side component was labeled Dark sword file receiver, showing poor operational security for a seasoned Russian threat actor. One unusual finding is the clear presence of large language model-generated code. These operational mistakes suggest either low-level criminal groups reusing leaked government tools or experienced operators who simply did not view this particular exploit as valuable enough to protect.
The good news is that Apple has moved swiftly. Devices running the most recent versions of iOS, specifically iOS 18.7.3 or iOS 26.3 or later, are not susceptible to this threat or the vulnerabilities exploited by it. iPhone users are recommended to upgrade to iOS 26.3.1, released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware.
The underlying question remains unanswered. Suspected Russian hackers have repurposed iOS exploits believed to originally be made on behalf of the U.S. government, with iVerify, Lookout and Google collaborating on the research. Whether DarkSword represents a separate exploit developed independently or another variant of government-designed code that has proliferated through illicit channels remains unclear. What is certain is that the barrier to entry for sophisticated mobile attacks has never been lower. Users who fail to update their devices face real and immediate risk.