RESEARCHERS at Google have identified an iOS exploit chain, named DarkSword, that has been used since late last year by multiple actors to infect iPhones with malware in targeted attacks. DarkSword combines six vulnerabilities in iOS and Safari to deploy malware on the device and works on iPhones running iOS 18.4 through 18.7, with a drive-by infection simply by visiting a malicious or compromised website.
The campaigns have been observed in several countries, with DarkSword used by commercial spyware vendors and by state-backed actors, including in Saudi Arabia, Turkey, Malaysia, and Ukraine. In Ukraine, the payload is Ghostblade, a JavaScript-based data-stealer exfiltrating a wide range of data, including messages, contacts, and crypto exchange and wallet app information.
Apple has patched related vulnerabilities, including CVE-2026-20700, in recent iOS releases, and Malwarebytes advises updating to the latest iOS and, for high-value targets, enabling Lockdown Mode.