New iPhone spyware raises concerns over large‑scale attacks

• Researchers identified a new iPhone spyware strain called Darksword affecting users on outdated iOS versions.
• The malware appears in multiple international hacking campaigns linked to commercial vendors and suspected state actors.
• Apple says the vulnerabilities have been patched, but millions of devices remain exposed due to slow update adoption.

A growing wave of iPhone‑targeting spyware

Cybersecurity researchers have identified a sophisticated spyware tool capable of compromising potentially hundreds of millions of iPhones. The malware, named Darksword, was discovered on dozens of Ukrainian websites in recent weeks. Analysts from Lookout, iVerify and Google published coordinated reports describing how the exploit operates and who may be using it. Their findings mark the second major iOS spyware discovery this month, following a separate tool called Coruna.

The presence of two unrelated high‑end exploits in such a short period suggests a rapidly expanding market for advanced iPhone malware. Researchers say these tools are capable of stealing sensitive data, including cryptocurrency wallet information. Darksword and Coruna were found hosted on the same servers, indicating possible overlap in operators or infrastructure. The scale and sophistication of these tools raise concerns about how widely such exploits may be circulating.

Justin Albrecht, a principal researcher at Lookout, said the findings point to a “verified pipeline” of recent iPhone exploits reaching financially motivated criminal groups. He noted that the availability of such tools outside traditional state‑level intelligence operations represents a significant shift. The discovery also highlights how commercial surveillance vendors continue to play a role in distributing advanced spyware. These developments underscore the evolving threat landscape for mobile devices.

Researchers say the vulnerabilities used by Darksword were made possible by flaws in older versions of iOS. Apple has patched the underlying issues in more recent updates. However, many users continue to run outdated software, leaving them exposed to attacks. This gap between patch availability and user adoption remains a persistent challenge for mobile security.

How Darksword spreads and who is using it

Google’s threat analysis team reported that Darksword has been used in multiple hacking campaigns across several countries. The targets include individuals in Saudi Arabia, Turkey, Malaysia and Ukraine. Some of the activity in Malaysia and Turkey was linked to PARS Defense, a Turkish commercial surveillance vendor. Google also observed suspected state‑linked actors deploying the malware in separate campaigns.

The spyware was delivered to iPhone users running iOS versions 18.4 through 18.6.2. These versions were released between March and August 2025, meaning the vulnerabilities have existed for more than a year. Researchers found that simply visiting one of the compromised Ukrainian websites could trigger the exploit. This type of “drive‑by” attack requires no user interaction, making it particularly dangerous.

It remains unclear how many devices are vulnerable, but estimates suggest between 220 million and 270 million iPhones still run affected iOS versions. These figures are based on public data and analysis by iVerify and Lookout. Google did not release its own estimates ahead of the coordinated report. The large number of unpatched devices highlights the ongoing risks associated with delayed software updates.

Apple responded by emphasizing that the exploits target outdated software and that the vulnerabilities have been addressed in multiple updates. The company noted that Apple Safe Browsing now blocks all malicious domains associated with the Darksword campaigns in Safari. Apple reiterated that keeping devices up to date is the most effective way to maintain security. Despite these measures, the widespread use of older iOS versions leaves many users at risk.

A shifting ecosystem of iPhone exploitation

The discovery of Darksword and Coruna within the same month suggests a broader trend in the iOS exploit market. Historically, high‑end iPhone hacking tools were primarily developed and used by state intelligence agencies. Recent findings indicate that such capabilities are increasingly accessible to commercial vendors and criminal groups. This shift may lead to more frequent and widespread attacks targeting everyday users.

Researchers noted that the operators behind Darksword made several operational security mistakes. These errors allowed analysts to trace the malware back to servers associated with suspected Russian operators involved in the Coruna campaign. Such lapses are uncommon in state‑linked operations, which typically prioritize stealth. The willingness to deploy these tools in mass attacks suggests that the operators may not be concerned about losing access to the exploits.

Rocky Cole, co‑founder of iVerify, said the lack of caution indicates how cheaply some groups value these tools. He noted that the operators appear unconcerned about the exploits being exposed or “burned.” This attitude contrasts sharply with traditional espionage operations, where maintaining secrecy is critical. The shift may reflect a growing commercial market where exploits are treated as disposable assets.

The increasing availability of powerful iPhone spyware raises questions about how the security community and platform providers will respond. Apple continues to patch vulnerabilities, but the slow adoption of updates remains a major obstacle. Researchers say that better user education and more aggressive update policies could help reduce exposure. The situation also highlights the need for continued monitoring of commercial surveillance vendors.