A sophisticated software exploit capable of breaking into Apple iPhones and siphoning off sensitive data may have put hundreds of millions of users at risk.
Researchers revealed on Wednesday that this powerful threat had been quietly embedded across dozens of websites in Ukraine in recent weeks—raising urgent questions about how far its reach could extend.
The discovery marks the second time this month that researchers have uncovered spyware aimed at iPhones and other Apple devices. Taken together, these two hacking tools paint a troubling picture: a booming underground market for highly sophisticated malware designed to siphon off personal data—and even drain cryptocurrency wallets—right under users’ noses, researchers warn.
Cybersecurity researchers from Lookout, mobile security firm iVerify, and Google—part of Alphabet—have released coordinated analyses of a newly identified malware strain they’ve dubbed “Darksword.” Earlier this month, on March 3, Google and iVerify also disclosed another powerful iPhone spyware known as “Coruna.” What’s especially alarming: investigators discovered that Darksword was hosted on the very same servers, hinting at a deeper, possibly connected operation behind both threats.
"There’s now a verified pipeline of recent exploits … that have ended up in the hands of potentially criminal entities with a financial focus," said Justin Albrecht, a principal researcher at Lookout, underscoring the growing risk behind these increasingly accessible hacking tools.
Google Sounds the Alarm on Expansive, Far-Reaching Hacking Campaigns
Google says its researchers have uncovered multiple, separate campaigns using Darksword—carried out by commercial surveillance vendors and suspected state-linked hackers—targeting victims in Saudi Arabia, Turkey, Malaysia, and Ukraine, signaling a far broader and more coordinated threat than previously known.
Google linked the campaigns in Malaysia and Turkey to PARS Defense, a Turkish commercial surveillance vendor. The company did not respond to requests for comment—adding another layer of uncertainty around its alleged role in these operations.
According to iVerify and Lookout, the malware was quietly delivered to iPhone users running iOS versions 18.4 through 18.6.2—triggered simply by visiting one of dozens of compromised Ukrainian websites. Those versions, released by Apple between March and August 2025, may have left a significant window of opportunity for the attack to unfold undetected.
Researchers say it’s still unclear exactly how many iPhones remain vulnerable to Darksword attacks. Apple has already rolled out several patches to fix the underlying flaws, but that doesn’t mean users are in the clear. Many people delay or skip updates altogether—leaving an estimated 220 million to 270 million iPhones still running exposed iOS versions, according to iVerify and Lookout, based on public data. Adding to the concern, Google did not disclose its findings ahead of Wednesday’s report, raising questions about how long the threat may have gone unnoticed.
An Apple spokesperson said the attacks specifically targeted “out of date software,” emphasizing that the underlying vulnerabilities have already been fixed through multiple updates rolled out over the past several years—meaning users on the latest operating system versions are no longer exposed.
“Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices,” the spokesperson said.
The spokesperson added that all malicious domains identified by Google have now been blocked through Apple Safe Browsing in Safari—an extra safeguard designed to stop the attacks from spreading any further.
The emergence of two separate, high-powered iOS exploits in just one month points to a thriving and rapidly evolving ecosystem—one where tools once reserved for state-level intelligence agencies are now spreading more widely, said Rocky Cole, co-founder and COO of iVerify.
Researchers say the vulnerabilities were uncovered thanks to careless security missteps—mistakes that are rarely seen in the typically precise, highly disciplined world of state-backed iPhone hacking—making the discovery all the more surprising.
In findings and interviews ahead of Wednesday’s release, researchers at iVerify and Lookout revealed that Darksword was hosted on the same internet servers used by the suspected Russian operators behind Coruna—an overlap that hints at a potentially deeper connection between the two operations.
