A powerful software exploit capable of penetrating and stealing information from potentially hundreds of millions of Apple iPhones was planted on dozens of websites in Ukraine in recent weeks, according to researchers.
The discovery marks the second time this month that researchers have found spyware targeting iPhones and other Apple devices, Reuters reported. Together, the two hacking tools show that the market for sophisticated malware capable of stealing data and cryptocurrency wallet information is flourishing, researchers said.
Researchers from Lookout, mobile security firm iVerify, and Google published coordinated analyses of the malware they dubbed "Darksword." On March 3, Google and iVerify revealed a separate powerful iPhone spyware called "Coruna." Researchers found Darksword hosted on the same servers.
"There’s now a verified pipeline of recent exploits ... that have ended up in the hands of potentially criminal entities with a financial focus,” said Justin Albrecht, principal researcher with Lookout. Google said its researchers observed campaigns targeting multiple commercial vendors and suspected state-linked hackers using Darksword in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.
The campaigns in Malaysia and Turkey were associated with Turkish commercial surveillance vendor PARS Defense, Google said. According to iVerify and Lookout, researchers discovered the malware being delivered to iPhone users running iOS versions 18.4 to 18.6.2 who visited one of dozens of Ukrainian websites.
Apple released those versions between March and August 2025. According to the researchers, it is not clear how many iPhones are vulnerable to Darksword attacks.
Apple has released several fixes for the underlying bugs that attackers used to make Darksword. However, many people opt not to install iPhone updates, and an estimated 220 million to 270 million iPhones still run exposed iOS versions, according to iVerify and Lookout.
An Apple spokesperson said the exploits targeted "out-of-date" software, and that the underlying vulnerabilities have been addressed across multiple updates over the last several years for users running the latest versions of their devices' operating systems.
"Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices," the spokesperson said.
All malicious domains identified by Google are blocked by Apple Safe Browsing in the Safari web browser to prevent further exploitation, the spokesperson added.
The discovery of two powerful iOS exploits this month suggests a robust ecosystem for tools that were previously limited primarily to state-level intelligence operations, said Rocky Cole, co-founder and COO of iVerify.
Researchers said they discovered the vulnerabilities because of sloppy security mistakes not common in state-linked iPhone hacking.
"The fact that they don’t care if it gets burned, and that they’re using them in mass attacks with poor (operational security), that says a lot about how much they value these tools,” Cole said. “They’re not overly precious about them being exposed." Darksword was found on internet servers used by suspected Russian operators of Coruna, researchers said.
The discovery marks the second time this month that researchers have found spyware targeting iPhones and other Apple devices, Reuters reported. Together, the two hacking tools show that the market for sophisticated malware capable of stealing data and cryptocurrency wallet information is flourishing, researchers said.
Researchers from Lookout, mobile security firm iVerify, and Google published coordinated analyses of the malware they dubbed "Darksword." On March 3, Google and iVerify revealed a separate powerful iPhone spyware called "Coruna." Researchers found Darksword hosted on the same servers.
"There’s now a verified pipeline of recent exploits ... that have ended up in the hands of potentially criminal entities with a financial focus,” said Justin Albrecht, principal researcher with Lookout. Google said its researchers observed campaigns targeting multiple commercial vendors and suspected state-linked hackers using Darksword in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.
The campaigns in Malaysia and Turkey were associated with Turkish commercial surveillance vendor PARS Defense, Google said. According to iVerify and Lookout, researchers discovered the malware being delivered to iPhone users running iOS versions 18.4 to 18.6.2 who visited one of dozens of Ukrainian websites.
Apple released those versions between March and August 2025. According to the researchers, it is not clear how many iPhones are vulnerable to Darksword attacks.
Apple has released several fixes for the underlying bugs that attackers used to make Darksword. However, many people opt not to install iPhone updates, and an estimated 220 million to 270 million iPhones still run exposed iOS versions, according to iVerify and Lookout.
An Apple spokesperson said the exploits targeted "out-of-date" software, and that the underlying vulnerabilities have been addressed across multiple updates over the last several years for users running the latest versions of their devices' operating systems.
"Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices," the spokesperson said.
All malicious domains identified by Google are blocked by Apple Safe Browsing in the Safari web browser to prevent further exploitation, the spokesperson added.
The discovery of two powerful iOS exploits this month suggests a robust ecosystem for tools that were previously limited primarily to state-level intelligence operations, said Rocky Cole, co-founder and COO of iVerify.
Researchers said they discovered the vulnerabilities because of sloppy security mistakes not common in state-linked iPhone hacking.
"The fact that they don’t care if it gets burned, and that they’re using them in mass attacks with poor (operational security), that says a lot about how much they value these tools,” Cole said. “They’re not overly precious about them being exposed." Darksword was found on internet servers used by suspected Russian operators of Coruna, researchers said.
For corrections or revisions, click here.
The opinions reflected in this article are not necessarily the opinions of LET
Comments