Security researchers revealed a widespread campaign targeting users with outdated Apple devices last week. The attacks leveraged a tool called DarkSword, previously known to be in the hands of sophisticated threat actors, but it has now been leaked online and is available for download on GitHub.
Easy to Deploy Exploits
DarkSword is an iOS exploit kit that is relatively simple to use, consisting primarily of HTML and JavaScript files. Which means almost anyone can copy the files, host them on a server, and commence attacking iPhones and iPads within minutes, requiring no advanced knowledge of the iOS architecture. The accessibility of exploit kits like DarkSword underscores the growing democratization of cyberattacks.
Russian Intelligence and Ukrainian Servers
According to analysts at Google and Lookout, DarkSword was previously used by Russian government-linked hackers (UNC6353) to target individuals in Ukraine. Interestingly, the source code that surfaced online contains fragments responsible for sending stolen data to a popular Ukrainian clothing store. It is believed attackers compromised the website to use it as a command and control (C2) server.
This incident follows a similar event earlier this month involving the Coruna exploit pack, created by L3Harris for the U.S. Government.
What Does DarkSword Do?
Once successfully deployed, DarkSword quietly steals the following data from a compromised device:
- Contacts
- Messages
- Call history
- Contents of the iOS Keychain, which stores Wi-Fi passwords and credentials for other services.
Unlike more persistent tools like Pegasus, DarkSword is designed for quick access, data theft, and exfiltration. It also includes functionality for stealing cryptocurrency.
Who is at Risk?
DarkSword targets iOS systems running version 18 without Lockdown Mode enabled. Apple reports that approximately 25% of users are still running iOS 18 or earlier, representing hundreds of millions of vulnerable devices. The availability of the code on GitHub puts these devices at risk from anyone who downloads it.
Fortunately, devices updated to the latest available iOS 26, released in October 2025, are protected. For older devices that do not support iOS 26, Apple released a security patch on March 11.
What Should iPhone Users Do?
To protect against DarkSword, users should:
- Update to the latest version of iOS 26. If your device does not support iOS 26, install the security patch released on March 11 or enable Lockdown Mode.
- Enable Lockdown Mode. This feature significantly restricts attack vectors by blocking suspicious scripts on websites and in messaging apps.
If you’d like to learn more about how to secure your smartphone (and not just iPhones) against attacks that could threaten your money, data, or privacy, consider attending our lecture, “How Not to Get Hacked,” which will be held in the following cities in the coming weeks:
This lecture contains everything you need to know about cybersecurity today. The content is presented in an accessible and understandable way for everyone, so we welcome all, including those with no technical background. Feel free to bring family and friends – we recommend ages 15 and up. There will be spectacular live demonstrations of attacks and plenty of practical, free, and easy-to-implement advice. We guarantee you’ll leave more secure. We’ve refined this lecture over six years, and it has been attended by over 100,000 people (with an average rating of 9.48/10). Click here to spot a full description and a video from a previous session and to reserve your place.
