Techniques to hack into an iPhone have been far and few but in recent times there seems to be an uptick on this front, especially of tools that get embedded into infected websites. Amongst them a hacking technique called DarkSword available on the web in a reusable form could potentially take over millions of iOS devices.
This was revealed by researchers at Google and cybersecurity firms iVerify and Lookout who located the hacking toolkit across several infected websites. These could instantly capture and hack into iOS devices that visit these sites. While phones with the latest iOS 18 are considered safe, those running older versions.
According to iVerify co-founder and CEO Rocky Cole, a vast number of iOS users could have their personal data stolen when they visit a popular website. “Hundreds of millions of people who are still using older Apple devices or older operating system versions remain vulnerable,” he said.
The DarkSword toolkit is coming to light barely two weeks after another similar toolkit known as Coruna was found to be used by Russian state-sponsored espionage groups as well as other cybercriminals. For now, the researchers believe that the two toolkits have been created by different developers, though they believe both were used by Russia.
They found that both toolkits were embedded in components of otherwise legitimate websites in Ukraine that included news outlets and government websites. Google’s Threat Intelligence Group notes in a post that DarkSword was also spotted earlier when hackers used it to hack into the iPhones of people in Saudi Arabia, Turkey and Malaysia.
The post says the latest toolkit supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. Google has identified three distinct malware families deployed following a successful DarkSword compromise. These are GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
“The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns,” the post said.
Google also confirmed that the vulnerabilities tied to DarkSword were since patched with fixes rolled out to iOS 26.3 with updates also being extended to older versions such as iOS15 and iOS16. The company also said it has added malicious domains to its Safe Browsing System and advised users to avoid clicking on unknown links.
