DarkSword Alert The Invisible Spyware Targeting 270 Million iPhones

Urgent Alert: "DarkSword" Zero-Click Spyware Targeting Millions of iPhones Worldwide

Security researchers from Google Threat Intelligence Group, Lookout, and iVerify have issued a startling report regarding a sophisticated new hacking toolkit dubbed "DarkSword" This high-level spyware is currently spreading globally, specifically targeting iPhone users who have not yet updated to the latest iOS security patches.

What is DarkSword? The Invisible Threat

DarkSword is far more dangerous than typical malware. It utilizes a Zero-click and Drive-by Download mechanism, meaning it requires no user interaction to infect a device. Key features include:

• Infection via Browsing: Simply visiting a compromised website triggers the attack. No "Download" or "Accept" prompts are required.

• The Six-Exploit Chain: DarkSword weaponizes a sophisticated chain of six vulnerabilities simultaneously across iOS and Safari to bypass system sandboxes and gain root-level access.

• Stealth Memory Execution: The spyware operates entirely in the device's RAM without leaving a permanent file footprint, making it invisible to standard detection tools. While it disappears upon reboot, the data theft occurs instantly during the session.

• State-Sponsored Origins: Evidence suggests the tool is being utilized by advanced persistent threat (APT) groups and private surveillance firms across nations including Saudi Arabia, Turkey, Malaysia, and Ukraine.

Is Your iPhone at Risk?

Technical analysis reveals that DarkSword specifically targets devices running iOS 18.4 through iOS 18.7. It is estimated that 220–270 million iPhones worldwide remain on these vulnerable versions.

• Critical Vulnerabilities: The primary exploits involve CVE-2026-20700 and CVE-2026-20643, which target the WebKit engine. Hackers inject custom JavaScript via malicious iframes to initiate the breach.

What Data is Stolen?

Once access is granted, DarkSword deploys a secondary payload known as "Ghostblade" to exfiltrate:

• Encrypted Chats: SMS, iMessage, WhatsApp, and Telegram.

• Identity & Credentials: Keychain passwords, Wi-Fi credentials, and Contacts.

• Media & Files: Photos and iCloud Drive documents.

• Financial Assets: It scans for Cryptocurrency Wallets to extract private keys and drain funds.

How to Protect Your iPhone

1. Immediate Update: Apple has patched these flaws in iOS 26.1, 26.2, and 26.3 (2026 releases). Go to Settings > General > Software Update immediately.

2. Enable Lockdown Mode: If you are a high-risk individual (journalist, activist, or handle sensitive data), enable Lockdown Mode. This drastically limits web functionalities that DarkSword relies on. (Settings > Privacy & Security > Lockdown Mode).

3. Monitor Anomalies: Watch for excessive battery drain, overheating during idle time, or frequent app crashes. If these occur, perform a Force Restart and check your iOS version.

WebKit has become the most severe attack target because almost every app on iOS (not just Safari) relies on this engine to render web content. DarkSword's ability to exploit WebKit means it can infiltrate social media ads or forwarded links without the user noticing.

Sub-malware like Ghostblade doesn't randomly steal everything; instead, it uses a small amount of on-device AI to scan for "sensitive information," such as contracts, bank passwords, or cryptocurrency wallet keys, before compressing and rapidly transmitting it to avoid lag or noticeable data usage.

These versions emerged when Apple began implementing a large suite of AI features, leaving some kernel-level vulnerabilities open for smoother processing. Hackers exploited these vulnerabilities to create a "6-chain exploit," considered the longest and most complex ever discovered in 2026.

While the malware disappears after a reboot, researchers warn that hackers often leave small "backdoors" in backup systems or trusted applications. This will cause the device to reinfect immediately when you visit the same website again.

 

 

Anthropic New Feature Allows AI to Control Your Computer.

 

Source: malwarebytes

 

💬 AI Content Assistant

Ask me anything about this article. No data is stored for your question.

Urgent Alert: "DarkSword" Zero-Click Spyware Targeting Millions of iPhones Worldwide

Security researchers from Google Threat Intelligence Group, Lookout, and iVerify have issued a startling report regarding a sophisticated new hacking toolkit dubbed "DarkSword" This high-level spyware is currently spreading globally, specifically targeting iPhone users who have not yet updated to the latest iOS security patches.

What is DarkSword? The Invisible Threat

DarkSword is far more dangerous than typical malware. It utilizes a Zero-click and Drive-by Download mechanism, meaning it requires no user interaction to infect a device. Key features include:

• Infection via Browsing: Simply visiting a compromised website triggers the attack. No "Download" or "Accept" prompts are required.

• The Six-Exploit Chain: DarkSword weaponizes a sophisticated chain of six vulnerabilities simultaneously across iOS and Safari to bypass system sandboxes and gain root-level access.

• Stealth Memory Execution: The spyware operates entirely in the device's RAM without leaving a permanent file footprint, making it invisible to standard detection tools. While it disappears upon reboot, the data theft occurs instantly during the session.

• State-Sponsored Origins: Evidence suggests the tool is being utilized by advanced persistent threat (APT) groups and private surveillance firms across nations including Saudi Arabia, Turkey, Malaysia, and Ukraine.

Is Your iPhone at Risk?

Technical analysis reveals that DarkSword specifically targets devices running iOS 18.4 through iOS 18.7. It is estimated that 220–270 million iPhones worldwide remain on these vulnerable versions.

• Critical Vulnerabilities: The primary exploits involve CVE-2026-20700 and CVE-2026-20643, which target the WebKit engine. Hackers inject custom JavaScript via malicious iframes to initiate the breach.

What Data is Stolen?

Once access is granted, DarkSword deploys a secondary payload known as "Ghostblade" to exfiltrate:

• Encrypted Chats: SMS, iMessage, WhatsApp, and Telegram.

• Identity & Credentials: Keychain passwords, Wi-Fi credentials, and Contacts.

• Media & Files: Photos and iCloud Drive documents.

• Financial Assets: It scans for Cryptocurrency Wallets to extract private keys and drain funds.

How to Protect Your iPhone

1. Immediate Update: Apple has patched these flaws in iOS 26.1, 26.2, and 26.3 (2026 releases). Go to Settings > General > Software Update immediately.

2. Enable Lockdown Mode: If you are a high-risk individual (journalist, activist, or handle sensitive data), enable Lockdown Mode. This drastically limits web functionalities that DarkSword relies on. (Settings > Privacy & Security > Lockdown Mode).

3. Monitor Anomalies: Watch for excessive battery drain, overheating during idle time, or frequent app crashes. If these occur, perform a Force Restart and check your iOS version.

WebKit has become the most severe attack target because almost every app on iOS (not just Safari) relies on this engine to render web content. DarkSword's ability to exploit WebKit means it can infiltrate social media ads or forwarded links without the user noticing.

Sub-malware like Ghostblade doesn't randomly steal everything; instead, it uses a small amount of on-device AI to scan for "sensitive information," such as contracts, bank passwords, or cryptocurrency wallet keys, before compressing and rapidly transmitting it to avoid lag or noticeable data usage.

These versions emerged when Apple began implementing a large suite of AI features, leaving some kernel-level vulnerabilities open for smoother processing. Hackers exploited these vulnerabilities to create a "6-chain exploit," considered the longest and most complex ever discovered in 2026.

While the malware disappears after a reboot, researchers warn that hackers often leave small "backdoors" in backup systems or trusted applications. This will cause the device to reinfect immediately when you visit the same website again.

 

 

Anthropic New Feature Allows AI to Control Your Computer.

 

Source: malwarebytes