A leaked version of the DarkSword iOS spyware kit appeared on GitHub, prompting cybersecurity researchers to warn that iPhone exploit tools once reserved for nation-states may now be accessible to any criminal actor.

 

What happened

Google published research on DarkSword, an iOS exploit kit discovered targeting devices in Ukraine, Saudi Arabia, Turkey, and Malaysia. Shortly after, a version of DarkSword appeared publicly on GitHub. The leak follows the earlier discovery of a similar exploit kit called Coruna, which iVerify and Google uncovered the week before.

DarkSword targets iPhones running iOS 18, a version still used by up to 25% of all iPhone users. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerabilities DarkSword exploits to its list of flaws that federal agencies must patch. Apple has issued patches for the vulnerabilities and urged all users to update their devices immediately.

 

The backstory

Coruna, the earlier exploit kit, alarmed Apple enough that it took the step of backporting security updates to older iOS versions. The concern was that Coruna would be able to spread via text message to every contact on an infected device. DarkSword represents a continuation of the same trend, targeting relatively current iOS releases rather than only older ones.

 

Going deeper

The GitHub leak lowers the barrier to iPhone exploitation. Factors adding onto the risk include:

  1. DarkSword was originally used in targeted nation-state operations before the leak made it broadly accessible.
  2. AI tools make it easier for less sophisticated actors to customize and adapt leaked exploit code.
  3. A thriving resale market for exploits means capabilities that were once exclusive are available.
  4. Apple has not released iOS 18-specific security updates comparable to the backports it issued for Coruna.
  5. Lockdown Mode and Memory Integrity Enforcement remain effective defenses.

 

What was said

iVerify co-founder Rocky Cole called the GitHub leak "extremely alarming," adding, "I would assume that it's being used all around the world, and including here in the United States."

Allan Liska, field CISO at Recorded Future, warned the leak risks democratizing iPhone exploits, "Right now, iPhone exploitations are among the most expensive to research/implement so they have been, largely, the realm of nation-states. If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface."

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, urged immediate action, stating, "People who have devices that are vulnerable should upgrade ASAP. It is very likely that these vulnerabilities are being used right now to exploit vulnerable devices at scale, which is unusual for Apple products."

Apple spokesperson Sarah O'Rourke noted that "keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products, and devices with updated software were not at risk from these reported attacks."

 

Why it matters

Many healthcare organizations rely on mobile devices for clinical communication, patient data access, and staff coordination. A healthcare employee's compromised iPhone can become an entry point into systems that hold protected health information. Unlike endpoint detection on managed desktops, mobile threats of this nature are harder to detect and often go unnoticed until damage is done.

The fact that up to 25% of iPhones haven't updated to the patched iOS version means a large installed base remains exposed right now. For covered entities and business associates, this is a prompt to revisit mobile device management policies and ensure staff devices are current.

 

The bottom line

Update iPhones to the latest iOS version immediately. Organizations managing fleets of mobile devices should audit update compliance and consider enabling Lockdown Mode for high-risk users. The lesson here is that mobile security can no longer be treated as secondary to desktop security.

 

FAQs

Does using a VPN protect my iPhone from DarkSword?

A VPN encrypts your internet traffic but does not protect against spyware exploits like DarkSword.

 

Are Android devices vulnerable to DarkSword?

DarkSword specifically targets iOS and does not affect Android devices, though Android has its own separate spyware threats.

 

Can Apple remotely patch my iPhone without me updating it?

Apple cannot push silent automatic updates to iPhones, users must actively install updates for patches to take effect.

 

Does Lockdown Mode affect normal iPhone usability?

Lockdown Mode restricts features like message attachments, web browsing capabilities, and FaceTime, making it better suited for high-risk users.