The DarkSword iOS exploit is a sophisticated full-chain attack combining six zero-day vulnerabilities targeting iPhones running iOS 18.4 through 18.7, with an estimated 220 million devices at risk. Active since at least November 2025, this exploit has been deployed internationally through watering hole attacks—a technique where attackers compromise legitimate websites to infect visitors. Unlike previous iOS exploits, DarkSword represents a shift toward newer iOS versions, suggesting attackers are adapting faster to Apple’s rapid update cycles.
Key Takeaways
- DarkSword targets iOS 18.4–18.7, affecting approximately 14.2% of all iPhone users globally.
- The exploit chains multiple zero-days to steal passwords, cryptocurrency wallets, and text messages.
- Suspected Russian actors (UNC6353) and Turkish vendors are actively deploying the attack.
- Apple patched all six vulnerabilities in iOS 26.3, released in early 2026.
- Updating immediately is the only reliable defense against this threat.
How DarkSword iOS exploit Works
DarkSword begins with malicious web content delivered through Safari or WebKit, the rendering engine powering iOS browsers. Once a user lands on a compromised site, the exploit uses WebGPU—a graphics API—as a pivot point to escape the browser sandbox, the protective boundary that normally isolates apps from system access. From there, attackers escalate privileges to kernel level, the deepest part of the operating system, using a PAC (Pointer Authentication Code) bypass in dyld. The final stage deploys in-memory implants that exfiltrate sensitive data without writing files to disk, making detection significantly harder than traditional malware.
What makes this attack particularly concerning is its breadth. Rather than targeting a single vulnerability, DarkSword chains six separate zero-days into one seamless attack. This redundancy means patching one vulnerability alone offers no protection—users must install the complete iOS 26.3 update to close all attack vectors.
Who’s Behind DarkSword and Where It’s Spreading
The DarkSword iOS exploit has been linked to multiple threat actors, including suspected Russian-backed group UNC6353, Turkish vendor PARS Defense, and other state-sponsored organizations. Victims have been confirmed in Saudi Arabia, Turkey, Malaysia, and Ukraine, suggesting geopolitical targeting rather than indiscriminate attacks. The exploit’s code quality reveals careless development—some versions include un-obfuscated comments, debug logs, and possible AI-generated components—suggesting either rapid deployment or multiple actors reusing shared code.
Interestingly, DarkSword shares infrastructure and actors with an earlier iOS exploit kit called Coruna. However, DarkSword targets newer iOS versions (18.4+) compared to Coruna’s broader range, indicating attackers are actively evolving their toolkit to match Apple’s release schedule. This pattern suggests future exploits will likely target iOS 19 and beyond as soon as those versions reach sufficient market penetration.
Why 220 Million iPhones Are Vulnerable
The staggering vulnerability figure stems from iOS adoption gaps. Market share data shows approximately 14.2% of iPhone users remain on iOS 18.4 through 18.6.2, translating to roughly 221.5 million devices. Some estimates place the total at 15% of all iOS devices still running iOS 18 or earlier, potentially reaching 270 million. These gaps exist because not all users update immediately—some delay for stability, others lack reliable internet access, and some devices may be incompatible with newer versions.
Apple’s patching timeline adds another layer of risk. While iOS 26.3 patches all six vulnerabilities, users who haven’t updated remain exposed. The longer the gap between patch release and user adoption, the wider the window for active exploitation. Given that DarkSword has been active for months, it’s reasonable to assume attackers have already targeted hundreds of thousands of unpatched devices.
How to Stay Safe from DarkSword iOS exploit
The most direct defense is immediate action: update to iOS 26.3 or later. This single step closes all six attack vectors simultaneously. To update, go to Settings, select General, tap Software Update, and install the latest version. If your device shows it’s already on iOS 26.3 or higher, you’re protected.
Beyond patching, adopt defensive browsing habits. Avoid clicking links in unsolicited emails, text messages, or social media posts—watering hole attacks often begin with social engineering. If you receive a message claiming to be from Apple requesting urgent action, verify it directly through Apple’s official support channels rather than clicking embedded links. Enable two-factor authentication on critical accounts (email, banking, cryptocurrency exchanges) to limit damage if passwords are compromised.
Monitor your device for unusual behavior: unexpected battery drain, overheating, or apps crashing repeatedly can signal malware presence. While DarkSword’s in-memory implants are stealthy, prolonged exploitation may leave traces. If you suspect infection, back up your data through iCloud (not to the infected device), perform a factory reset, and restore from a clean backup or set up as new.
DarkSword vs. Coruna: What’s the Difference?
Both exploits originate from overlapping threat actor networks, but they target different iOS versions and use distinct delivery mechanisms. Coruna targets iOS 13 and later—a much broader range—while DarkSword focuses on iOS 18.4+, suggesting a deliberate shift toward newer devices. DarkSword’s code quality is sloppier, with less obfuscation and more debug artifacts, implying either rapid development or multiple actors repurposing the code. Coruna’s delivery was more sophisticated; DarkSword’s is careless enough that some versions target the wrong iOS builds entirely. This messiness doesn’t make DarkSword less dangerous—it simply means attackers prioritized speed over polish, possibly because iOS 18 adoption was accelerating.
Is my iPhone vulnerable to DarkSword?
Your iPhone is vulnerable only if it runs iOS 18.4 through 18.6.2 and you haven’t yet updated to iOS 26.3 or later. Check your iOS version in Settings > General > About. If you see iOS 26.3 or higher, you’re safe. If you see anything below 18.4 or above 18.7, you’re also safe (though older versions may have other vulnerabilities). Only the narrow range 18.4–18.6.2 is exploitable by DarkSword.
What data can DarkSword steal from my iPhone?
DarkSword’s in-memory implants are designed to exfiltrate passwords, cryptocurrency wallet credentials, text messages, and other sensitive data stored in RAM. The attack does not require user interaction beyond visiting a compromised website, making it particularly dangerous for users who browse untrusted sites or click suspicious links. Once the implant is deployed, attackers have kernel-level access and can theoretically monitor all activity on the device.
The DarkSword iOS exploit represents a troubling escalation in mobile attack sophistication. With 220 million devices potentially at risk and active exploitation confirmed across multiple countries, this is not a theoretical threat—it’s an immediate danger to any iPhone user on iOS 18.4–18.6.2. Apple has provided the fix. The only question is whether you’ll apply it today or wait until your device is already compromised. Update now, and don’t wait for a security incident to motivate action.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Guide
