DarkSword is a newly observed iPhone exploitation tool capable of compromising devices simply through website visits, scaling attacks from targeted operations to mass exposure affecting hundreds of millions of devices. It specifically targets iOS 18, which still accounts for close to 25% of iPhones, indicating a large vulnerable base. Unlike rare prior exploits, DarkSword has been deployed indiscriminately, infecting thousands via compromised legitimate websites. Its public exposure, including fully documented code left accessible, significantly lowers reuse barriers and increases replication probability across additional threat actors.

The tool has been linked to Russian state-associated hackers and previously observed campaigns in at least three countries: Saudi Arabia, Turkey, and Malaysia. It emerged shortly after another toolkit, Coruna, which targets iOS 13–17, indicating rapid proliferation of high-end exploits. DarkSword contains multiple exploit chains tailored to different iOS 18 subversions, increasing compatibility and reach relative to earlier tools. Researchers attribute its spread to a brokered exploit market, where tools are resold across actors, amplifying distribution from single-group usage to multi-group adoption within a short timeframe.

Technically, DarkSword uses fileless techniques, extracting sensitive data within minutes and leaving minimal forensic traces, with infections ending after device reboot. Data targeted includes messages, credentials, photos, health records, and cryptocurrency wallets, expanding both espionage and financial attack surfaces. Despite available patches and protections such as Lockdown Mode, slow adoption of newer systems (iOS 26) sustains exposure. The convergence of high reuse potential, approximately one-quarter device vulnerability, and rapid exploit commoditization signals a structural shift from scarce, high-cost attacks to scalable, repeatable cyber intrusion models.