A dangerous iPhone hacking tool known as DarkSword has now reportedly leaked onto GitHub, raising new risks for users still running older Apple devices.
Experts say patching now is critical.
-
Dangerous iPhone hack code is now reportedly public on GitHub, which could make it easier for more attackers to use.
-
Older iPhones and iPads face the biggest risk if they still have not been updated.
-
Experts warn a hacked phone can lead to stolen data, cloud access, and broader account compromise.
The Google Threat Intelligence Group (GTIG), which first identified the iOS full-chain exploit last week, says attackers have already leveraged multiple zero-day vulnerabilities to fully compromise devices.
It’s also the second time this month that researchers have found spyware targeting iPhones and other Apple devices using iOS exploit kits, following the Coruna exploit chain disclosed in early March.
GTIG has been tracking the spyware – dubbed DarkSword – since at least November 2025, observing its use by multiple threat actors since. And now it appears the malicious code has been leaked publicly, according to a new report by TechCrunch on Monday.
Researchers said the exploit chain works on iPhones and iPads running iOS 18.4 through 18.7, giving attackers a powerful entry point into outdated Apple devices.
Apple initially patched the vulnerabilities in iOS 26.3, with Google urging users of older devices to update to the latest version.
For those who can’t, Apple recommends enabling “Lockdown Mode” immediately – especially now that the DarkSword toolkits have been leaked on GitHub.
Public code leak raises urgency
According to Google, DarkSword is used to deliver malware that can steal data from infected devices and even gain full control.
With the exploit code now publicly available on GitHub, the new warnings say the infostealer can spread even faster.
Once malicious code is released in the wild, the risk of attack widens by giving threat actors a starting point to test, tweak, and potentially redeploy similar tools, Google says.
“What makes this wave of iOS exploits especially concerning is the connection to the Coruna exploits from earlier this month, since it shows how a spyware-grade exploit capability can spread across multiple actors and mission sets once it is in circulation,” says Pete Luban, Field CISO at AttackIQ.
Luban said the bigger problem comes after the initial compromise.
“Russian actors shifting reliance from Coruna to DarkSword signals a practical blend of espionage and monetization, where the same access can support intelligence collection one day and financial theft the next,” Luban explains.
For reference, the previously discovered Coruna exploit chain gives attackers five different attack sequences for a total of 23 exploits – an unusually large and sophisticated arsenal capable of infecting iPhones running iOS 13 through 17.2.1, researchers say.
A hacked iPhone can open bigger doors
Google researchers also identified three distinct malware families deployed after a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
Luban says the releasing of all three malware families once the exploit takes place is the bigger issue because “together they compress the attacker’s kill chain, effectively widening the blast radius of a single click.”
The Cybernews community is talking about this. Be a part of the conversation.
Security experts warn that once a mobile device is compromised, the fallout can spread far beyond the device itself.
“What makes this particularly challenging is how quickly a mobile compromise can translate into broader enterprise access,” says Steve Cobb, Chief Information Security Officer at SecurityScorecard.
“Once attackers gain access to credentials or corporate data on a compromised device, they are no longer limited to that phone,” Cobb explains, adding that attackers can easily move into “SaaS platforms, cloud environments, and partner systems without needing to exploit another vulnerability.”
That risk grows as more people use the same device for personal and work activities. A compromised phone can expose email, stored credentials, synced files, messaging apps, and access tokens tied to other services.
The DarkSword exploit is “a strong signal that mobile threats are no longer operating on the fringes,”
Cobb said. “The initial compromise is small and difficult to detect, but the impact expands rapidly across interconnected systems.”
Why patching now matters
The biggest danger of a DarkStorm attack is for users still running older versions of iOS and iPadOS.
Google, urging Apple owners to patch older iOS versions immediately, warns that users who delay updates remain the easiest targets, especially for attackers who adapt or reuse leaked exploit code.
Still, Luban says Coruna’s earlier use across different ecosystems and actors also raises the stakes for defenders, turning “a mobile compromise into an enterprise incident.”
Luban further says the attacks normalize the idea that high-end exploit chains can become repeatable tradecraft, essentially increasing the odds of copycats and faster iteration, even when individual flaws get patched.
“A dataminer plus backdoors gives adversaries flexibility to quickly harvest high-value data, re-enter the device if needed, and pivot across accounts and cloud-synced services rather than being limited to what is on the handset in the moment,” he says.
Beyond updating iOS and using Lockdown Mode when appropriate, Luban says organizations should test whether their patching, web filtering, and mobile security controls can actually stop these real-world exploit chains – and regularly rehearse detection and response plans before gaps show up in headlines.
Unlock more exclusive Cybernews content on YouTube.
