DarkSword: Second Powerful iPhone Spyware Spotted in the Wild
State-sponsored zero-day exploits are leaking onto the black market and being used for widespread data theft, warn security researchers. iOS 18 is affected.
(Image: iHaMoo / Shutterstock.com)
Coruna is followed by DarkSword: Security researcher teams have analyzed another sophisticated exploit kit that various attacker groups have apparently used extensively to steal data from iPhones. Simply by visiting manipulated websites, Apple devices were completely compromised through the combination of several zero-day vulnerabilities, emphasizes the Google Threat Intelligence Group.
Such complex and expensive malware is usually only used by state actors against specific individuals. However, DarkSword and Coruna show that “there is a second-hand market for such exploits” and that they can therefore fall into the hands of groups with fewer resources and financial motives, explains the security company Lookout.
Exploit Chain Cracks iOS 18
DarkSword is thus capable of transferring various data from the compromised iPhone to its own servers within seconds or a few minutes. According to the information, this includes iMessage, SMS, WhatsApp, and Telegram chats, as well as emails, health data, documents, passwords, Wi-Fi data, browser history, plus calendar, address, and contact databases. According to the analysis, the malware also targets common crypto wallets and then attempts to cover its tracks. The goal here is not targeted, long-term monitoring of a compromised iPhone, but rather a broadly distributed, financially motivated “hit and run,” according to the security company.
Videos by heise
According to Google security researchers, various attackers – including the Russian group UNC6353 – have used the exploit kit at least until the end of 2025. The malware is said to have targeted users in Ukraine, Turkey, Saudi Arabia, and Malaysia, among others. DarkSword is designed for iOS versions 18.4 to 18.7, which may still be running on “hundreds of millions of devices,” the security researchers note. Apple has only just patched all exploited vulnerabilities with iOS 26.3.
These iOS Versions Are Patched
Apple users should urgently update their devices to the latest operating system version, which is currently iOS, iPadOS, and macOS 26.3.1. On Wednesday night, Apple also delivered another security patch, possibly independent of this – 26.3.1 (a) is the very latest version. The vulnerabilities are also reportedly fixed in iOS 18.7.3.
On devices that can no longer be updated, security researchers recommend activating the lockdown mode. This restricts several functions and can be found at the very bottom of “Settings > Privacy & Security.” Whether Apple will deliver patches for older iOS versions again remains to be seen for now.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(lbe)
