A spyware toolkit known as DarkSword, previously used in real-world attacks, has now leaked online, including on GitHub, giving hackers a ready-made way to target iPhones. The spyware has already been used in real-world campaigns, and researchers say its public availability makes it far easier for others to reuse.
Teams from Google, iVerify, and Lookout have been tracking DarkSword since late 2025. Early activity centered on "watering hole" attacks, where malicious code was injected into legitimate websites. In those cases, simply loading a compromised page in Safari was enough to trigger the exploit — no app installs, no obvious user action.
The attack itself isn't a single bug. It's a chain. It starts in the browser with JavaScript hitting a WebKit vulnerability, then moves step by step into more privileged parts of the system. Along the way it breaks out of Apple's sandbox protections and pivots into processes with broader access. By the end of the chain, attackers can reach sensitive areas of the device.
There's no visible app once it lands. The code runs inside existing system processes, which gives it cover. From there, it can pull data like messages, contacts, call history, and iCloud Keychain entries, including saved passwords and Wi-Fi credentials, and send that information back to external servers.
Researchers have also found that the same infrastructure has been reused across multiple campaigns since November, suggesting the toolkit is being shared or resold rather than kept to a single group. Some operations appear tightly targeted, while others are much wider in scope.
The number of potentially exposed devices is still significant. Recent activity has focused on iOS 18, and Apple's own App Store data shows that roughly one-quarter of active iPhones and iPads are still running that version or earlier.
Apple has already moved to address the vulnerabilities. After the exploits were observed in active use, the company urged users to update their software immediately. Fixes are included in recent iOS releases, and Apple issued additional security updates on March 11 for devices that can't upgrade to the latest version.
For users who can't update right away, Lockdown Mode can help block the techniques used in this chain. Even so, researchers say the bigger issue now is availability. With the toolkit out in the open, it becomes much easier for new actors to adapt it or build on top of it.
Get the iClarified Daily Newsletter
Apple news, rumors, tutorials, price drop alerts, in your inbox every evening, free.
Unsubscribe at any time.
Success!
You have been subscribed.
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
![Apple AirTag 4-Pack Drops to $59.99, Just $15 Per Tracker [Deal]](/images/news/100304/100304/100304-160.jpg "Apple AirTag 4-Pack Drops to $59.99, Just $15 Per Tracker [Deal]")
![AirPods Pro 3 Still $199.99 on Amazon ($50 Off) [Deal]](/images/news/100285/100285/100285-160.jpg "AirPods Pro 3 Still $199.99 on Amazon ($50 Off) [Deal]")
![AirPods Pro 3 Drop to $209.99 on Amazon ($40 Off) [Deal]](/images/news/100236/100236/100236-160.jpg "AirPods Pro 3 Drop to $209.99 on Amazon ($40 Off) [Deal]")
![Apple AirTag (1st Gen) 4-Pack Falls to $64 on Amazon [Deal]](/images/news/100218/100218/100218-160.jpg "Apple AirTag (1st Gen) 4-Pack Falls to $64 on Amazon [Deal]")
![Apple's New M5 MacBook Air Drops to $1,049 in Early Amazon Sale [Deal]](/images/news/100206/100206/100206-160.jpg "Apple's New M5 MacBook Air Drops to $1,049 in Early Amazon Sale [Deal]")
