iPhone Spyware 'Darksword' Found On Ukrainian Websites, Putting Millions Of Devices At Risk

 

Cybersecurity researchers have discovered a sophisticated spyware tool named Darksword targeting Apple iPhones, which was found hosted on dozens of websites in Ukraine. The new spyware tool is capable of stealing personal data and cryptocurrency wallet information from potentially hundreds of millions of devices that still run older versions of iOS. The findings were published in coordinated analyses by cybersecurity firms Lookout and iVerify, alongside Alphabet's Google.

 

The discovery marks the second such iPhone spyware uncovered this month, following the disclosure of a separate tool called "Coruna" on March 3, 2026, where researchers confirmed that Darksword malware was also found hosted on the same servers.

 

Google said its researchers observed multiple commercial vendors and suspected state-linked hackers deploying Darksword in distinct campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Campaigns in Malaysia and Turkey were linked to Turkish commercial surveillance vendor PARS Defence.

According to iVerify and Lookout, the malware affected those iPhone users who ran their devices on iOS versions 18.4 to 18.6.2. It was delivered to them via malware-affected Ukrainian websites.

Although the precise number of vulnerable devices remains unclear, researchers estimate that between 220 million and 270 million iPhones globally are still running exposed iOS versions, based on public estimates.

An Apple spokesperson said the exploits targeted out-of-date software and that the underlying vulnerabilities have been addressed across multiple updates over recent years. The company added that all malicious domains identified by Google have been blocked via Apple Safe Browsing in Safari. The spokesperson emphasised that keeping software updated remains the most effective measure users can take to protect their devices.

 

Researchers said the emergence of two powerful iOS exploits within a single month points to a rapidly expanding market for sophisticated mobile malware — tools that were once largely confined to state-level intelligence operations. Justin Albrecht, principal researcher at Lookout, noted that verified exploits appear to be reaching potentially criminal entities with a financial focus. Researchers also flagged unusually poor operational security in the attacks, suggesting the operators were unconcerned about the tools being exposed.