DarkSword - Targets iPhones running iOS versions between iOS 18.4 and 18.7

Written By Mantas Silingas

A new vulnerability labelled DarkSword has been exploited on iOS (iPhone) devices running versions 18.4 - 18.7 – Please check what version of software your iPhone is currently running and install any available updates immediately.

DarkSword is a full‑chain iOS exploit that leverages six vulnerabilities in iOS versions 18.4 through 18.7 to achieve complete device compromise within seconds. Once triggered—often by simply loading a compromised webpage—it can extract sensitive information including messages, photos, passwords, browser history, cloud files, and cryptocurrency wallet data. The exploit operates using a “hit‑and‑run” model, exfiltrating data rapidly and erasing forensic traces. It runs in the background without any notification or interaction required and is often undetectable. See attached a bulletin released by An Garda Síochána yesterday.

Required Actions (Mitigations)

‍ ‍To protect yourself and the company, please follow these steps immediately:

1. Update Your iPhone

‍ ‍Apple has patched all DarkSword‑related vulnerabilities in iOS 26.3 and earlier incremental updates.
Action: Go to Settings → General → Software Update and install the latest version.

2. Enable Lockdown Mode (Please read up about this feature before enabling via the URL below)

For staff handling extremely sensitive data, Lockdown Mode provides additional safeguards against exploit chains like DarkSword.
Action: Settings → Privacy & Security → Lockdown Mode
About Lockdown Mode - Apple Support (IE)

3. Avoid Using Outdated or Jailbroken Devices

Devices that cannot be updated are considered high‑risk.
Please contact IT if you need a replacement device or if you need assistance freeing up space on your iPhone.

4. Stay Alert for Suspicious Links or Unexpected Websites

Although DarkSword requires no user interaction, avoiding unknown or unsolicited links significantly reduces exposure.

5. Report Any Signs of Device Compromise

If your device behaves abnormally (unexpected crashes, unusual battery drain, suspicious redirects), please contact the IT team immediately.

Below are some details of the DarkSword exploit:

DarkSword is a newly uncovered and highly sophisticated mobile security threat. Multiple cybersecurity research teams—including Google’s Threat Intelligence Group (GTIG), Lookout, and iVerify—have issued coordinated warnings about this exploit chain and its widespread use in global cyber‑espionage campaigns. 

Who is affected?

DarkSword has been used by multiple threat actors, including commercial surveillance vendors and suspected state‑linked groups, targeting regions such as Saudi Arabia, Turkey, Malaysia, and Ukraine. Due to the widespread nature of the infections—often via compromised legitimate websites— it means that any employee using an older version of iOS could be at risk.

How the attack works

  • Delivered through compromised websites, often invisible to the user

  • Requires no download, no tap, and no interaction ("drive‑by" exploitation)

  • Bypasses browser sandboxing and escalates privileges to gain full device access

  • Exfiltrates data including credentials, communications (messages, email, Telegram, WhatsApp), location, and files

  • Deletes traces of the attack immediately after execution.

Risks to the Company

Compromised personal or corporate iPhones may lead to:

  • Exposure of corporate credentials

  • Leakage of sensitive communications

  • Unauthorised access to internal systems

  • Potential lateral movement into company networks

  • Compromise of MFA-protected systems via stolen tokens or app data

Mantas Silingas https://www.gdk.ie
Next

Security Awareness Training: Why It Matters More Than Ever