Researchers have discovered a new sophisticated spyware called “Darksword”, which can infect iPhones and steal sensitive data, including information from crypto wallets. This malware was recently distributed through dozens of sites in Ukraine, potentially affecting hundreds of millions of devices running outdated versions of iOS.
According to analyzes by Lookout, iVerify and Google, Darksword is part of a broader wave of advanced attacks on Apple devices. Just a few weeks earlier, another spyware called “Coruna” was discovered, and both tools point to a growing market for commercial surveillance software that is no longer limited to state actors.
Darksword attacks old iOS versions
Researchers say the spyware was spread through infected websites and targeted iPhones with iOS versions 18.4 to 18.6.2, which were released during 2025. Estimates show that between 220 and 270 million iPhones are still running these versions of the system, making them potentially vulnerable.
Google has identified multiple campaigns in various countries, including Saudi Arabia, Turkey, Malaysia and Ukraine. Some of the operations are linked to the Turkish company PARS Defense, while the infrastructure partially matches the servers previously used for the Coruna spyware.
Apple has confirmed that the vulnerabilities used by Darksword have already been patched through newer versions of iOS and emphasized that the attacks are targeting devices with outdated software. Safari has also been confirmed to automatically block known malicious domains through Safe Browsing protection.
However, experts warn that it is worrying that such tools are increasingly being used in mass attacks and not just in targeted operations. According to them, this indicates that sophisticated surveillance tools are becoming available to a wider range of actors, including criminal groups, reports Reuters.