DarkSword iPhone Exploit Chain Drives Mass Hacking Risk and Emergency Apple Patches
Security researchers and media reports say the DarkSword iOS exploitation tool has moved from a targeted threat to a broader operational risk, with evidence that attackers can compromise hundreds of millions of iPhones and that exploit code has leaked publicly. Reporting from WIRED, Lookout, iVerify, and AppleInsider describes DarkSword as a powerful zero-click attack capability seen in the wild, raising concern that well-resourced espionage-style techniques are becoming more accessible to additional threat actors.
Apple responded by issuing and then expanding protections, including rare backported patches for older supported devices to shield users who had not yet moved to newer iOS releases. iVerify said its investigations uncovered signs of zero-click mobile exploitation in the United States and warned that mass iOS attacks now represent a serious enterprise risk, while public reporting stressed that organizations and consumers should update affected iPhones immediately as leaked exploit code increases the likelihood of wider abuse.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Exploit code for the severe iOS hack is reported to have leaked publicly
AppleInsider reported that code for the severe iOS hacking technique had leaked broadly, increasing the risk that more attackers could weaponize it. The report framed the situation as leaving users little time to update affected devices.
iVerify warns DarkSword-style mass iOS attacks are a widespread business risk
iVerify published analysis saying the new DarkSword exploit confirms that mass exploitation of iPhones has become a serious enterprise risk, emphasizing broader operational and business impact. This marked a technical and strategic escalation in public understanding of the threat.
iVerify reports zero-click mobile exploitation evidence in the US
iVerify disclosed evidence of zero-click mobile exploitation affecting users in the United States, indicating that advanced mobile attacks were not limited to isolated overseas targeting. The findings added broader victimology and geographic scope to the DarkSword-era threat picture.
Apple announces rare backported patches for older iOS 18 devices
Apple said it would ship unusual backported fixes so users on older iOS 18-supported devices would also receive protection from the DarkSword hacking tool. This expanded mitigation beyond the newest OS branch.
Apple releases security updates to address the DarkSword exploit
Following reports of DarkSword exploitation, Apple issued iOS security updates to fix the underlying vulnerabilities affecting supported devices. The updates were presented as urgent because the exploit chain could be used against large numbers of iPhones.
Lookout identifies DarkSword iOS exploitation in the wild
Lookout reported that attackers were using the DarkSword hacking tool against iPhone users, establishing that the exploit chain was active in real-world attacks. Wired and other later coverage describe the same in-the-wild discovery rather than a separate event.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Update now: Severe iOS hack code leaks to everyone
appleinsider.com
Open sourceiVerify Uncovers Evidence of Zero-Click Mobile Exploitation in the U.S.
iverify.io
Open sourceNew DarkSword Exploit Confirms Mass iOS Attacks Are Now a Serious, Wide-Spread Business Risk
iverify.io
Open sourceApple Offers Rare Olive Branch to Liquid Glass Haters
gizmodo.com
Open sourceApple Will Push Out Rare ‘Backported’ Patches to Protect iOS 18 Users From DarkSword Hacking Tool | WIRED
wired.com
Open sourceAttackers Wielding DarkSword Threaten iOS Users | Threat Intel
lookout.com
Open sourceHundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild | WIRED
wired.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DarkSword iOS Exploit Chain Used in Watering-Hole Attacks Against Ukrainians
Researchers from **Google**, **iVerify**, and **Lookout** disclosed **DarkSword**, a sophisticated iPhone exploit chain used in compromised websites to silently infect visitors, with observed targeting focused on **Ukraine** and additional activity tied to **Saudi Arabia, Turkey, and Malaysia**. The campaign is linked to suspected Russian operators, including activity tracked as **UNC6353**, and appears to support both **espionage** and **financial theft**, including the theft of saved passwords, text messages, and cryptocurrency wallet data. Reporting also indicates DarkSword is the second major iOS exploit kit recently found in the wild after **Coruna**, reinforcing concerns that advanced mobile exploitation is becoming more broadly operationalized rather than reserved for narrowly targeted, bespoke use. Technical analysis shows DarkSword used multiple chained vulnerabilities to achieve full device compromise on older iOS versions, including JavaScriptCore bugs **`CVE-2025-31277`** and **`CVE-2025-43529`** for remote code execution, **`CVE-2026-20700`** as a `dyld` PAC bypass, and sandbox escapes that pivoted from **WebContent** to the **GPU process** and then to `mediaplaybackd`. The exploit chain relied on first compromising **WebKit** and then abusing **WebGPU/ANGLE**-related paths to escape Safari’s sandbox, and Apple patched the flaws across later iOS releases including **18.6**, **18.7.3**, **26.2**, and **26.3**. Researchers warned that a substantial installed base of devices running **iOS 18 or earlier** remained exposed at the time of disclosure, making DarkSword notable both for its technical sophistication and for the scale of potentially vulnerable iPhones.
Apr 4, 2026
TA446 Uses DarkSword iOS Exploit Kit to Target iPhone Users
Proofpoint and other researchers said the Russia-linked threat group **TA446**—also tracked as **Callisto**, **COLDRIVER**, **SEABORGIUM**, and **Star Blizzard**—used the leaked **DarkSword** iOS exploit kit in a targeted spear-phishing campaign aimed at compromising iPhone users. On March 26, the actor sent spoofed Atlantic Council "discussion invitation" emails from compromised accounts, redirecting selected recipients to DarkSword infrastructure that delivered the **GHOSTBLADE** dataminer, while non-iPhone users were reportedly shown a benign PDF decoy. Researchers said this is the first observed case of TA446 targeting Apple devices and **iCloud**-related access. The campaign was linked to TA446 through infrastructure overlaps, including VirusTotal samples referencing a TA446 second-stage domain and URLScan evidence showing a TA446-controlled domain serving DarkSword components. The operation also appeared broader than the group’s typical espionage activity, with targeting spanning government, think tanks, higher education, financial, and legal organizations. Apple separately warned users running older **iOS** and **iPadOS** versions to update because of active web-based attacks, while researchers cautioned that the leaked GitHub version of DarkSword could reduce the barrier to entry for advanced iPhone exploitation and help turn a nation-state capability into more widely available malware.
Apr 1, 2026
Surge in Zero-Click and Zero-Day Exploits Targeting Mobile Devices
A significant escalation in zero-click and zero-day exploitation techniques was observed throughout 2025, with attackers increasingly targeting mobile platforms such as iOS. Zero-click exploits, which require no user interaction, have become a preferred method for advanced persistent threats, nation-state actors, and commercial surveillance vendors. At least 14 major zero-click vulnerabilities were identified, affecting billions of devices and highlighting the growing attack surface beyond traditional user-driven threats. The average time from vulnerability disclosure to exploitation has dropped dramatically, putting pressure on organizations to accelerate patching cycles and improve detection capabilities. Recent reports confirm that multiple zero-day vulnerabilities in iOS were actively exploited in targeted spyware campaigns before patches became available. Attackers leveraged flaws in core mobile components, such as browser engines, to execute malicious code and compromise devices with minimal or no user involvement. These incidents underscore the persistent risks posed by mobile spyware and the critical need for rapid patching, enhanced mobile OS visibility, and continuous monitoring for anomalous device behavior as mobile endpoints remain high-value targets for cyber adversaries.
Mar 21, 2026