Overview
- Google, Lookout and iVerify detailed DarkSword on March 18, tying it to watering‑hole attacks since November 2025 against users in Ukraine, Saudi Arabia, Turkey and Malaysia.
- The chain targets iOS 18.4 through 18.7 with six Safari/WebKit, dyld and kernel flaws to quickly exfiltrate passwords, messages, photos, iCloud content and cryptocurrency wallet data.
- Researchers found the operators left unobfuscated code on compromised Ukrainian sites and observed shared infrastructure with the recently disclosed Coruna iOS exploit kit.
- Apple says it fixed the underlying bugs last year, issued an emergency update on March 11 for older iOS 15–16 devices, and confirmed Lockdown Mode prevents these attacks.
- Despite patches and browser blocks, iVerify and Lookout estimate roughly 220 million to 270 million iPhones still run exposed versions, sustaining the window of risk.