New DarkSword Spyware Threatens 270 Million iPhones, Apple Urges Updates

A new and highly sophisticated spyware called DarkSword is putting an estimated 220 million to 270 million iPhones at risk globally. Security researchers from Google, Lookout, and iVerify uncovered the threat this week, revealing that the malware can steal sensitive personal data and even cryptocurrency wallet information from vulnerable devices. Apple has urged users to update their software immediately to protect against these attacks.^[time+6]

DarkSword Exploits Older iOS Versions

DarkSword operates as an "exploit chain," using six different vulnerabilities to fully compromise an iPhone.This allows hackers to gain high-level permissions on a device. The spyware primarily targets iPhones running older versions of iOS, specifically iOS 18.4 to 18.7.This includes hundreds of millions of devices that have not received recent software updates.^[time+11]

The attack often begins when a user visits a compromised website, a method known as a "watering-hole attack."Researchers note that the spyware uses a "hit-and-run" tactic, quickly extracting data.Unlike many traditional hacks, DarkSword does not always require the target to download any malicious files.It can exploit flaws just by visiting a malicious site, making it a form of "zero-click" attack.^{[securityweek+3]}

Once an iPhone is compromised, DarkSword can steal a wide range of personal information. This includes Wi-Fi passwords, text messages, call history, location data, browser history, and SIM card details.It also targets health, notes, and calendar databases.A significant concern for many users is the spyware's ability to access and exfiltrate cryptocurrency wallet information.^[time+8]

Who is Behind the Attacks

Cybersecurity firms and Google's Threat Intelligence Group have observed DarkSword being used by multiple commercial surveillance vendors and suspected state-sponsored actors.Many of these attackers are operating from China and Russia.Specific groups identified include UNC6353, believed to be a Russian espionage actor, and UNC6748, linked to the Turkish firm PARS Defense.^[time+6]

The spyware attacks have been observed targeting iPhone users in several countries. These include Ukraine, China, Saudi Arabia, Turkey, and Malaysia.So far, researchers have not reported any hacks on American targets.DarkSword has been active since at least November 2025.This discovery follows another powerful iPhone spying tool, "Coruna," found earlier this month, indicating a growing market for sophisticated mobile malware.^[time+15]

Damon McCoy, a professor and co-director of the Center for Cyber Security at New York University, emphasized the severity of the threat. "This is a pretty significant threat," McCoy told TIME. "There's still probably quite a few people that are still running this outdated version of iOS, and those people are quite vulnerable."^[time]

Apple's Urgent Advice to Users

Apple has responded to the discovery, stating that it patched the underlying iOS vulnerabilities exploited by DarkSword last year.Google confirmed that all six vulnerabilities were addressed with the release of iOS 26.3, with most having been patched even earlier.^[mashable+2]

The company released emergency software updates for iOS 15 and iOS 16 on March 11, 2026.These updates extend protection to older iPhone models that cannot update to the very latest iOS version.Apple assures users that any device running iOS 15 through iOS 26 is already protected from DarkSword spyware.^[mashable+5]

However, iPhone users still operating on iOS 13 or iOS 14 must update their devices to iOS 15 to receive these crucial protections.Apple stated that users on these older versions will receive an alert to install a Critical Security Update in the coming days.^[mashable+3]

Apple strongly advises all iPhone users to update their software to the latest available version as the primary defense against such attacks.The company also highlighted its Safari web browser's Safe Browsing feature, which automatically blocks all known malicious URLs identified by Google, helping to prevent exploitation.For individuals facing highly sophisticated digital threats, Apple recommends enabling "Lockdown Mode," an optional extreme protection feature.Additionally, newer iPhone 17 models are protected from these specific attacks due to their Memory Integrity Enforcement feature.^[time+15]