On March 18 researchers reported the discovery of a capable iPhone exploit that had been placed on dozens of websites in Ukraine in recent weeks. The malware, which those researchers have named "Darksword," can infiltrate Apple iPhones and siphon information, according to coordinated analyses published by multiple security teams.
Teams from the cyber firm Lookout, mobile security company iVerify and Alphabet's Google shared technical findings on the tool, saying it represents a powerful data-theft capability. The announcement follows a separate disclosure earlier in March of another potent iPhone spyware known as "Coruna." Researchers noted that both tools are part of a larger set of exploits now appearing beyond previously narrow, state-level usage.
According to iVerify and Lookout, Darksword was delivered to visitors of dozens of Ukrainian websites if those visitors were using iPhones running iOS versions 18.4 through 18.6.2. Those iOS releases were issued by Apple between March and August 2025, the researchers said.
The teams said it is unknown precisely how many iPhones remain vulnerable to Darksword. Apple has released multiple security fixes that address the bugs exploited by the attackers, but researchers noted that many users do not install updates promptly. Based on public estimates of device software distribution, iVerify and Lookout put the number of iPhones still running exposed iOS versions at roughly 220 million to 270 million.
Researchers also highlighted operational details of how these tools are being used. They reported that Darksword was hosted on the same servers where suspected operators of the earlier Coruna spyware had placed components, and they suggested the current deployment behavior differs from that seen in state-linked operations.
"There’s now a verified pipeline of recent exploits … that have ended up in the hands of potentially criminal entities with a financial focus," said Justin Albrecht, principal researcher with Lookout.
Rocky Cole, co-founder and COO of iVerify, said the pattern of use suggests a shift in who is deploying these capabilities. Cole noted that the vulnerabilities came to light due to what researchers described as sloppy operational security, a trait not commonly associated with state-sponsored iPhone hacking.
"The fact that they don’t care if it gets burned, and that they’re using them in mass attacks with poor (operational security), that says a lot about how much they value these tools," Cole said. "They’re not overly precious about them being exposed."
The researchers emphasized that finding two separate, powerful iOS exploits within the same month points to a robust ecosystem for sophisticated malware that can harvest sensitive data and cryptocurrency wallet information. They said the tools appear to be circulating among entities with financial motives.
Google did not share its findings prior to the coordinated release. Apple did not provide a response to inquiries about the incidents, the researchers said.
Implications for consumers and markets
For consumers, the discovery underscores a persistent risk for users who delay installing software updates. For companies in the mobile security and consumer device sectors, a rising market for sophisticated offensive tools could influence demand for protections and heighten scrutiny on device update practices. The broad potential reach of the exploit - encompassing iPhones running several recent iOS versions - raises questions about the scale of exposure for large user populations.