The findings come from a joint investigation involving Google’s threat intelligence team, alongside cybersecurity firms Lookout and iVerify. Their reports point to a coordinated effort using advanced exploit methods, some linked to state-backed actors.
What is DarkSword spyware?
DarkSword is what researchers describe as an exploit chain — not a single bug, but a sequence of vulnerabilities. It combines multiple software weaknesses to gain access to a device and move deeper into system controls. Google said the tool uses six vulnerabilities together to fully compromise certain iPhones.
How the DarkSword attack works
The entry point is often Safari. McCoy told TIME that a user may only need to click a link — what researchers call a drive-by download — for the attack to begin. According to iVerify, two compromised domains were identified, including a .gov.ua domain: novosti.dn[.]ua and 7aac.gov[.]ua.
From there, access expands rapidly. Data can be extracted within seconds, after which the tool removes traces of its activity and exits.
What data DarkSword spyware can access on iPhones
The scope is extensive, given that it is a surveillance-focused tool. According to iVerify, it can extract:
- Wi-Fi credentials
- Messages
- Call logs
- Location history
- Browser data
- SIM and cellular details
- Health and Notes data
Cryptocurrency wallets may also be targeted.
Countries where DarkSword iPhone attacks have been detected
Researchers observed activity in Ukraine, China, Saudi Arabia, Turkey, and Malaysia.
In one case, a Ukrainian government-linked domain appeared to have been compromised. Another attack used a website mimicking Snapchat to target users. No confirmed cases involving US users were reported in the findings.
Who may be behind the DarkSword attacks
The tool has reportedly been in use since at least November 2025. Google linked its use to commercial surveillance vendors and suspected state-backed groups.
Which iPhones are vulnerable to DarkSword attacks
Devices running iOS 18.4 to 18.7 are considered at risk. iVerify estimates this could affect around 270 million devices globally.
“This is a pretty significant threat,” Damon McCoy of New York University told TIME, pointing to users still running older iOS versions.
Updates and patches released to fix DarkSword vulnerabilities
Google confirmed that the vulnerabilities tied to DarkSword have been patched, with fixes rolled out up to iOS 26.3. Updates were also extended to older systems such as iOS 15 and 16.
How to protect your iPhone from DarkSword spyware
The first step is simple — ensure the device is up to date. Apple said keeping software updated remains the most effective defence against such cyberattacks.
For those unable to update, the company recommends enabling Lockdown Mode — a setting designed for high-risk users facing advanced threats.
Additional safety measures and Google Safe Browsing update
Google has added malicious domains linked to DarkSword to its Safe Browsing system.
Users are advised to avoid unknown links and keep security settings enabled.
Whether you are exposed to these attacks depends largely on your software version. Devices running the latest updates are protected; older ones may not be.
