DarkSword is similar to Coruna, which targets iPhone models running iOS versions from 13.0 up to 17.2.1.
A major iOS exploit kit unveiled by cybersecurity experts earlier this month has been leaked on GitHub, further increasing vulnerabilities for older iPhones and iPads.
In a joint investigation this month, Google Threat Intelligence Group (GTIC) and iVerify unveiled ‘DarkSword’, a new full-chain exploit that targets iOS versions 18.4 through 18.7. It is likely that millions of users globally use older Apple products that this exploit could affect.
Since at least November 2025, DarkSword has been used by several commercial surveillance and suspected state-sponsored actors to target users in Saudi Arabia, Turkey, Malaysia and Ukraine, finds GTIC.
These attacks used multiple vulnerabilities in Apple’s operating system to gain access to sensitive information from the users’ devices.
GITC has identified hackers leveraging a Snapchat-themed fake website to target Saudi Arabian users. While they also observed DarkSword used in Turkey, as well by suspected a Russian espionage actor leveraging the exploit to target Ukrainian users.
The group said that they reported these DarkSword vulnerabilities to Apple late last year, and these have all since been patched with the release of iOS 26.3. However, yesterday (23 March), TechCrunch reported that a newer version of DarkSword was leaked on the code-sharing site GitHub.
Speaking to the publication, iVerify co-founder Matthias Frielingsdorf said that these exploits are “way too easy to repurpose”. “I don’t think that can be contained anymore. So we need to expect criminals and others to start deploying this.”
DarkSword is similar to ‘Coruna’, an exploit the team unveiled earlier this month. Coruna targets iPhone models running iOS versions from 13.0 up to 17.2.1.
The exploit kit infects outdated iPhones visiting certain websites. It does not contain any specific targeting or one-time links meaning anyone who visited such a website while running a vulnerable iOS version could get infected, and also get re-infected multiple times.
GITC and iVerify say that the use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors with different goals across the globe.
It is recommended that users update their devices to the latest version of iOS. In cases of older models where updates are not possible, it is advised that users enable ‘Lockdown Mode’ for enhanced security.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
