A newly identified spyware tool known as Darksword has been found targeting Apple iPhones, with researchers linking the activity to campaigns involving compromised websites in Ukraine. The exploit was discovered by cybersecurity firms Lookout and iVerify, along with researchers from Google, who said the tool is capable of extracting sensitive data from affected devices.
According to the analysis, the spyware was deployed through dozens of websites that had been injected with malicious code. Users visiting these sites with vulnerable iPhones could be infected without additional interaction. The activity focused on devices running iOS versions 18.4 to 18.6.2, which were released between March and August 2025.
Researchers said the exploit allows access to a wide range of information stored on devices, including messages, location data, and cryptocurrency wallet details. The tool operates by exploiting multiple vulnerabilities in the operating system, enabling attackers to retrieve data once access is established.
The campaign is not limited to Ukraine. Investigators reported that similar activity has been observed in other countries, including Saudi Arabia, Turkey, and Malaysia. Some cases have been associated with commercial surveillance vendors, while others are linked to suspected state aligned actors.
Researchers also noted that the spyware was hosted on infrastructure previously used for another iPhone exploit known as Coruna, indicating overlap between different campaigns and tools. The findings point to continued use of advanced exploitation techniques across multiple threat groups.
Apple has released security updates addressing the vulnerabilities used by Darksword. However, researchers estimate that between 220 million and 270 million devices may remain exposed due to users not updating their software.
The investigation identified multiple active campaigns using the exploit, with attackers delivering the spyware through compromised web infrastructure. Researchers said the activity reflects ongoing use of browser-based attack methods targeting mobile devices.