Researchers have discovered a new iOS exploit, dubbed "DarkSword", that was used to steal saved passwords, data from cryptocurrency apps and more. Fortunately, you may be able to avoid it.
DarkSword targets iPhones that are running older versions of iOS, specifically iOS 18.4 through iOS 18.7. Apparently, it's been leaked to multiple malicious actors.
The exploit was discovered by researchers at Lookout, a mobile security company, who were investigating a previous "Coruna" attack. Their findings were verified by a collaboration between Google's Threat Intelligence Group and iVerify, which created a more comprehensive analysis of this threat.
In total, DarkSword uses six vulnerabilities tracked as: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. It's been actively used since November 2025 by multiple bad actors who deployed it as as three separate malware "GHOST" families.
Ghostblade is a dataminer that stole a gamut of information from crypto data to browser history, photos and emails. Ghostknife was used to get into signed-in accounts, messages and location history. While Ghostsaber was used to execute code and steal data.
“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says. “This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”
This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules.
Lookout researchers
The attacks had a global impact hitting iPhone owners in Saudia Arabia, Ukraine and Malaysia according to the reports. The exploit was delivered through a Sandbox exploit using compromised websites, though it's not clear how the sites themselves were compromised.
Based on this Stat Counter chart and statistics from Apptunix, it's estimated that around 220 million devices are impacted, or around 14% of all iOS users.
According to iVerify, all the flaws used in DarkSword have apparently been addressed by Apple in more recent iOS releases. An Apple spokesperson confirmed this stating that Apple patched the underlying vulnerabilities in 2025 with a software update for older devices released in the last week.
How to stay safe
Very simply, update your iPhone.
If your device is capable of running iOS 26.3.1 (the most recent iOS update), you should upgrade to that version. If not, see if you can at least update to iOS 18.7.6, which appears to be safe according to iVerify.
iVerify's research suggests that only iOS 18.7 and iOS 26.3 versions are safe, which means even earlier versions of iOS 26 might be exploitable.
An Apple spokesperson reached out to clarify that the latest versions of iOS 15 through iOS 26 are safe. However, if you're still on iOS 13 or 14, you need to update to iOS 15 to receive protections. They added that iPhone 17 owners are safe thanks to the new Memory Integrity Enforcement feature, an always-on memory-safety protection that helps block spyware.
They also recommended a few safety tips, all things that we would recommend as well:
- Protect your device with a passcode
- Use two-factor authentication and a strong password for your Apple Account
- Only install apps from the App Store
- Use strong and unique passwords online
- Don't click on links or attachments from unknown senders
In the meantime, turn on Lockdown Mode, which has existed since iOS 16 and is designed to give you more protection from advanced cyberattacks.
Unfortunately, there isn't an iOS equivalent of the best Android antivirus apps, but one of the best Mac antivirus software suites can scan an iPhone or iPad for spyware and other malware. Connecting your iPhone to a Mac allows Intego’s Mac antivirus to scan it for viruses.
We don't see iPhone exploits all that often but when we do, they're usually quite complicated and leverage multiple vulnerabilities like we saw here with DarkSword. Given how much valuable data is stored on the best iPhones, it won't be long until we see a similar exploit making the rounds online.
