A critical vulnerability chain has been identified that puts hundreds of millions of iPhone users at risk of complete device compromise, according to research published this week by Google, Lookout, and iVerify. The exploit kit, codenamed DarkSword, requires only that an unsuspecting user visit a malicious website; no click, no tap, no user action beyond normal browsing.
Google's Threat Intelligence Group has identified a new iOS full-chain exploit leveraging multiple zero-day vulnerabilities, with multiple commercial surveillance vendors and suspected state-sponsored actors utilising DarkSword in distinct campaigns since at least November 2025. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
The mechanism is deceptively simple but highly effective. The hack starts as soon as an iOS device encounters a malicious iframe embedded in a web page, after which it works its way through the iPhone, gathering sensitive information like passwords before deleting itself. DarkSword can abscond with messages and iCloud content, but it is specifically designed to access cryptocurrency wallets, which could indicate who was using DarkSword before it became widely available.
What makes DarkSword particularly concerning is its stealth. A vulnerable iPhone user visits a malicious website and, in one click, executes the complete chain to fully compromise a device, gain kernel privileges, and exfiltrate sensitive data; it collects data quickly (within seconds to minutes) before removing itself from the target device. The malware leaves no trace; devices show no signs of compromise, and forensic detection becomes nearly impossible.
The exploit targets iOS 18 releases between iOS 18.4 and iOS 18.7, versions released during 2025. iVerify estimates that 14.2 per cent of users (approximately 221.5 million devices) running iOS versions between 18.4 and 18.6.2 are believed to be vulnerable. Based on the assumption that all iOS 18 versions are susceptible to the majority of the vulnerabilities in this chain, approximately 18.99 per cent of users (296.2 million) may be affected.
The technical sophistication required to develop such an exploit is substantial. DarkSword supports iOS versions 18.4 through 18.7 and utilises six different vulnerabilities to deploy final-stage payloads. DarkSword is a full-chain iOS exploit that chains six distinct vulnerabilities, four of which were leveraged as zero-days. CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple.
What is striking about the DarkSword research is the operational security failures that led to its discovery. None of the JavaScript or HTML code was obfuscated in any way, and the server-side component was labelled "Dark sword file receiver" — poor operational security for a seasoned Russian threat actor. One of the more unusual findings is the clear presence of large language model-generated code; the server-side component includes telltale signs of AI-generated code, complete with detailed notes and comments characteristic of LLM output. This development effectively lowers the barrier to entry for deploying advanced mobile exploits, even among state-sponsored actors.
Apple has already issued fixes. The vulnerabilities used in DarkSword were reported to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3 (although most were patched prior). Users are advised to update to iOS versions 26.3.1 and 18.7.6, which are the latest platform iterations to include patches for all vulnerabilities in the DarkSword exploit kit.
For users unable to update to the latest versions, it is recommended that Lockdown Mode be enabled for enhanced security. This feature, available since iOS 16, restricts certain functionality that sophisticated attacks might exploit.
Google strongly urges users to update their devices to the latest version of iOS. The research team from Google Threat Intelligence Group, along with security firms Lookout and iVerify, have published detailed technical analyses of the exploit chain. The discovery highlights a troubling trend: as exploit kits become more accessible, and as artificial intelligence lowers technical barriers, the time between vulnerability discovery and widespread exploitation continues to compress. For iPhone users, the message is clear: delay is a vulnerability.