An iOS exploit toolkit called DarkSword, previously linked to targeted surveillance operations, has been posted publicly on GitHub, widening the pool of attackers who can potentially compromise older iPhones.
Google’s Threat Intelligence Group (GTIG) identified DarkSword on 19 March as a full-chain iOS attack capable of compromising Apple devices by chaining multiple vulnerabilities. The tool has been in active use by multiple threat actors since at least November 2025, according to Google, and was found planted on dozens of websites in Ukraine from late February onwards.
DarkSword targets devices running iOS 18.4 through 18.7. A separate exploit, known as Coruna, affects devices on iOS 13.0 through 17.2.1. Security firms iVerify and Lookout estimated that between 220 million and 270 million iPhones were still running vulnerable iOS versions in March.
No click required
The core risk is the infection method. In some cases, devices can be compromised simply by visiting an already-infected website, with no need for the user to download anything or click a suspicious link. Once inside, the tool can steal data, record device activity, and maintain persistent access.
That has implications beyond individual users. Smartphones now store email access, authentication tokens, cloud data, messaging history, and corporate credentials. A compromised device can become a stepping stone into broader accounts and enterprise systems.
From intelligence tool to open-source risk
The public GitHub leak follows a well-documented pattern in cybersecurity: tools developed for intelligence or government use eventually escape into broader criminal circulation. Researchers warn the same dynamic is now accelerating in the mobile space.
Apple has released patches that block the known DarkSword attack chain, and devices running iOS 26 (released September 2025) are not considered vulnerable. However, adoption has been uneven. Many users declined to update after Apple’s operating system overhaul, leaving their handsets exposed.
The immediate advice from security researchers is straightforward: update. But the broader concern is that high-end mobile exploit capabilities are spreading faster than the industry’s ability to patch them out of circulation.
