Researchers have uncovered a widespread spyware campaign targeting Apple iPhones, with potentially hundreds of millions of devices vulnerable. The malware, dubbed “Darksword,” was deployed on dozens of Ukrainian websites in recent weeks and represents a growing market for sophisticated hacking tools, alongside another recently discovered exploit called “Coruna.” This surge in commercial spyware capabilities raises concerns about both state-sponsored and financially motivated cyberattacks.
The Darksword Threat
Darksword exploits vulnerabilities in iPhones running iOS versions 18.4 to 18.6.2 (released between March and August 2025) to steal sensitive data, including cryptocurrency wallet information. Google, Lookout, and iVerify jointly analyzed the malware, finding it hosted on the same servers as Coruna – indicating a shared infrastructure for these attacks.
Key Findings:
– Darksword has been used in campaigns targeting individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine.
– Campaigns in Turkey and Malaysia are linked to PARS Defense, a Turkish commercial surveillance vendor.
– An estimated 220–270 million iPhones remain vulnerable due to users not installing updates.
Why This Matters
The proliferation of powerful spyware like Darksword and Coruna demonstrates a shift in the cyber landscape. Previously, such tools were largely the domain of nation-state intelligence agencies; now, they are increasingly accessible to criminal entities with financial incentives. This trend is alarming because it lowers the barrier to entry for malicious actors and expands the potential for mass surveillance and data theft.
“There’s now a verified pipeline of recent exploits that have ended up in the hands of potentially criminal entities with a financial focus,” says Justin Albrecht, principal researcher with Lookout.
Apple’s Response and User Action
Apple has acknowledged the vulnerabilities exploited by Darksword and asserts that fixes have been released through multiple updates over the past few years. The company emphasizes that keeping software up to date is the most effective measure against such attacks. Apple’s Safe Browsing feature in Safari also blocks known malicious domains.
However, the sheer number of iPhones running outdated iOS versions (estimated at 220–270 million) leaves a vast attack surface exposed.
Operational Sloppiness and Future Trends
Researchers note that the operators behind Darksword and Coruna exhibit reckless security practices. This suggests they are unconcerned with exposure, either because they possess an abundance of tools or because their primary goal is mass exploitation rather than long-term stealth.
The discovery of these two exploits in quick succession points to a robust ecosystem for advanced hacking tools. The fact that these tools are being used in mass attacks with poor operational security indicates their high value and expendability.
Ultimately, this situation underscores the constant arms race between security researchers, software vendors, and malicious actors. Users must prioritize software updates and remain vigilant against phishing or suspicious website visits to minimize their risk.
