Security researchers have discovered a powerful exploit that could allow hackers to break into hundreds of millions of iPhones by tricking users into clicking malicious links. The malware, dubbed 'Darksword', has been planted on dozens of websites in recent weeks, according to reports from cybersecurity firms Lookout, iVerify, and Google.
The discovery marks the second time this month that researchers have found spyware targeting iPhones and other Apple devices. On 3 March, Google and iVerify revealed a separate powerful iPhone spyware called 'Coruna'. Researchers found Darksword hosted on the same servers, suggesting a flourishing market for sophisticated malware capable of stealing data and cryptocurrency wallet information.
Google said its researchers observed multiple commercial vendors and suspected state-linked hackers using Darksword in distinct campaigns against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The campaigns in Malaysia and Turkey were associated with Turkish commercial surveillance vendor PARS Defense, which did not respond to a request for comment.
According to iVerify and Lookout, researchers discovered the malware being delivered to iPhone users running iOS versions 18.4 to 18.6.2 who visited one of dozens of Ukrainian websites. Apple released those versions between March and August 2025. It is not clear how many iPhones are vulnerable, but an estimated 220 million to 270 million iPhones still run exposed iOS versions, based on public estimates.
An Apple spokesperson said the exploits targeted 'out-of-date software' and that the underlying vulnerabilities have been addressed across multiple updates over the last several years. 'Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,' the spokesperson added. All malicious domains identified by Google are blocked by Apple Safe Browsing in the Safari web browser.
Researchers said they discovered the vulnerabilities because of sloppy security mistakes not common in state-linked iPhone hacking. 'The fact that they don't care if it gets burned, and that they're using them in mass attacks with poor operational security, that says a lot about how much they value these tools,' said Rocky Cole, co-founder and COO of iVerify.
