Sophisticated Spyware Threatens Millions of iPhones via Malicious Links
Security experts are sounding the alarm over a potent new cybersecurity threat that could allow hundreds of millions of iPhones to be compromised simply by clicking on compromised links. This alarming software bug, dubbed “Darksword,” enables hackers to gain unauthorised access to iPhones, potentially leading to the theft of sensitive information. The discovery comes hot on the heels of another significant spyware find targeting Apple devices, highlighting a troubling surge in the market for advanced malware designed to pilfer data and cryptocurrency wallet details.
The sophisticated nature of Darksword has been detailed in coordinated analyses released by researchers from cyber firm Lookout, mobile security specialist iVerify, and Google’s threat intelligence division. This latest threat was found to be hosted on the same internet servers previously associated with another powerful iPhone spyware, “Coruna,” which was revealed earlier this month. This convergence suggests a worrying trend of readily available and potent tools falling into the hands of entities with malicious financial motives.
Justin Albrecht, a principal researcher at Lookout, commented on the situation, stating, “There’s now a verified pipeline of recent exploits… that have ended up in the hands of potentially criminal entities with a financial focus.”
Google’s investigations revealed that Darksword has been deployed in distinct campaigns by multiple commercial vendors and suspected state-linked hackers. The targets of these campaigns have been identified in several countries, including Saudi Arabia, Turkey, Malaysia, and Ukraine. Notably, the operations in Malaysia and Turkey have been linked to the Turkish commercial surveillance vendor PARS Defense. Requests for comment from PARS Defense went unanswered.
According to iVerify and Lookout, the Darksword malware was delivered to iPhone users running iOS versions 18.4 through 18.6.2. These specific versions were released by Apple between March and August of 2025. While the exact number of vulnerable iPhones remains unclear, researchers estimate that between 220 million and 270 million iPhones are still operating on exposed iOS versions, based on public estimates. This significant number of unpatched devices presents a wide attack surface for cybercriminals.
Apple has acknowledged the issue, with a spokesperson stating that the exploits targeted “out-of-date software.” The company emphasised that the underlying vulnerabilities have been addressed in multiple updates over the past several years for users running the latest versions of their operating systems.
Protecting Your Device: The Importance of Updates
The spokesperson stressed the critical role of software updates in maintaining device security:
- Keeping Software Up-to-Date: This remains the single most important action users can take to ensure the high security of their Apple devices. Regularly installing the latest iOS updates patches known vulnerabilities and strengthens defenses against emerging threats.
- Apple Safe Browsing: To prevent further exploitation, Apple has confirmed that all malicious domains identified by Google are now blocked by Apple Safe Browsing within the Safari web browser. This proactive measure helps shield users from inadvertently accessing dangerous websites.
The emergence of two distinct and powerful iOS exploits within a single month is a significant indicator of a burgeoning ecosystem for tools that were once primarily the domain of state-level intelligence operations. Rocky Cole, co-founder and COO of iVerify, noted that the discovery of these vulnerabilities was facilitated by what he described as “sloppy security mistakes,” which are not typically seen in state-linked iPhone hacking operations.
Cole further elaborated on the implications of these operational security lapses: “The fact that they don’t care if it gets burned, and that they’re using them in mass attacks with poor (operational security), that says a lot about how much they value these tools… They’re not overly precious about them being exposed.” This suggests a widespread availability and perhaps even a disposable nature of these potent hacking tools.
The connection between Darksword and the servers used by suspected Russian operators of Coruna, as reported by iVerify and Lookout, further underscores the interconnectedness of these sophisticated cyber threats and the potential for their rapid dissemination across different malicious actors.
