A newly uncovered Darksword iPhone spyware campaign was planted on dozens of websites in Ukraine in recent weeks, according to researchers who say the exploit could penetrate and steal information from potentially hundreds of millions of Apple devices running older software.
The finding is the second major discovery this month involving spyware aimed at iPhones and other Apple devices. Taken together, the two cases suggest that the market for advanced hacking tools built to steal data and cryptocurrency wallet information is growing.
Researchers from cyber firm Lookout, mobile security company iVerify, and Google published coordinated analyses of the malware, which they named “Darksword.” Earlier this month, Google and iVerify also disclosed a separate iPhone spyware tool called “Coruna.” Researchers said Darksword was hosted on the same servers.
What is the Darksword iPhone Spyware?
Google said it observed multiple commercial vendors and suspected state-linked hackers using Darksword in separate campaigns targeting people in Saudi Arabia, Turkey, Malaysia and Ukraine.
According to Lookout and iVerify, the malware was delivered to iPhone users running iOS versions 18.4 to 18.6.2 after they visited one of dozens of Ukrainian websites. Apple released those software versions between March and August 2025.
Researchers said it remains unclear how many iPhones are still vulnerable. However, iVerify and Lookout estimated that 220 million to 270 million iPhones continue to run exposed versions of iOS, based on public figures.
Security analysts said the discovery points to a wider and more active market for sophisticated iPhone exploits than previously understood. Justin Albrecht of Lookout said there is now a “verified pipeline” of recent exploits reaching potentially criminal groups with financial motives.
Google also said the Malaysia and Turkey campaigns were linked to Turkish commercial surveillance vendor PARS Defence. The company did not respond to a request for comment.
Researchers added that the exposure of both Darksword and Coruna in the same month suggests these tools are no longer limited to top-tier intelligence services. Instead, they may now be circulating more broadly among commercial and criminal actors.
Apple Says Vulnerabilities Have Been Fixed
Apple said the exploits targeted out-of-date software and that the underlying vulnerabilities have been addressed through multiple updates over several years for users running the latest operating systems.
The company also said malicious domains identified by Google are blocked by Apple Safe Browsing in Safari to reduce the risk of further exploitation. Apple stressed that keeping software up to date remains the most important step users can take to protect their devices.
Read: Apple and Google Issue New Spyware Warnings to Users Worldwide
Researchers said the campaign also stood out because of weak operational security. Rocky Cole, co-founder and COO of iVerify, said the attackers appeared unusually unconcerned about the tools being exposed, suggesting they place less value on secrecy than state-backed operators typically do.
Darksword was found on the same internet servers that suspected Russian operators of Coruna used, according to Lookout and iVerify. That link adds another layer of concern as investigators map out how these powerful exploits are being deployed.
