NEW YORK — DarkSword, a newly disclosed iPhone spyware framework found on compromised websites linked to campaigns touching Ukraine, can fully compromise iPhones running outdated iOS, and researchers say the number of potentially exposed devices ranges from about 221.5 million to as many as 270 million worldwide, March 18, 2026. The framework turns a visit to a malicious webpage into a full device takeover, and the disclosure matters because researchers say mercenary-grade iPhone exploits are spreading beyond tightly controlled espionage use into broader operations.
According to Google Threat Intelligence Group’s DarkSword analysis, iVerify’s reverse-engineering write-up and Reuters’ report on the disclosure and Apple’s response, researchers from Google, iVerify and Lookout say the exploit chain has been used by multiple threat actors in campaigns touching Saudi Arabia, Turkey, Malaysia and Ukraine. Google said the chain supports iOS 18.4 through 18.7 and uses six vulnerabilities, while iVerify said the recovered code it analyzed was configured for iOS 18.4 through 18.6.2 and successfully infected test devices on iOS 18.6.2.
How this iPhone spyware campaign works
Researchers said attackers embedded hidden code on otherwise legitimate sites, turning a normal visit into a one-click compromise. iVerify described DarkSword as a fileless, non-persistent framework built largely in JavaScript, meaning it is designed to steal data and disengage rather than remain planted on the phone. Google’s analysis said the follow-on payloads can pull data ranging from iMessage, WhatsApp and Telegram records to notes, hidden photos, Health data, Wi-Fi passwords and cryptocurrency wallet files.
Why the 270 million figure needs context
The headline figure needs context. iVerify’s narrower calculation puts the exposed pool at about 221.5 million devices running iOS 18.4 through 18.6.2. Its higher 270 million scenario assumes most iOS 18 builds were susceptible to most of the chain before later 18.7 fixes arrived. That distinction matters because the risk is enormous either way, but the exact blast radius depends on which builds remained vulnerable and how quickly users installed updates.
What Apple users should do now
Apple said the exploits targeted out-of-date software and that the underlying bugs have already been addressed across multiple updates. The company’s security releases page lists iOS 26.3.1 as the latest current iPhone software, while iVerify said the fixed versions available at publication were iOS 26.3.1 and iOS 18.7.6 for devices that remain on the iOS 18 track, including older iPhone XS, XS Max and XR models. Apple also told Reuters that the malicious domains identified by Google are blocked by Safari Safe Browsing.
For users who believe they may face a higher risk of targeted intrusion, Apple’s Lockdown Mode guidance says the feature is meant for extremely rare and highly sophisticated attacks and will restrict some everyday iPhone features to reduce the attack surface. For everyone else, the clearest takeaway is still the simplest one: update iOS immediately and be cautious with unfamiliar links, even when they appear on legitimate sites.
Why this iPhone spyware story fits a longer pattern
DarkSword did not arrive in a vacuum. Earlier this month, Google detailed Coruna, another powerful iOS exploit kit that it said had already moved from surveillance use into watering hole attacks and broader criminal activity. The new disclosure also echoes Apple’s 2024 warning that mercenary spyware alerts had reached users in 92 countries, a reminder that the market for high-end mobile intrusion tools has been widening for years.
That longer arc is what makes DarkSword more than another patch story. It suggests that iPhone exploits once treated as rare, bespoke weapons are increasingly being repackaged, shared and reused — and that running outdated iOS now exposes far more users to modern iPhone spyware than many Apple owners may realize.
