Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ DarkSword Exploit Threatens iPhones Still Running iOS 18 Adam Engst Security researchers at [1]Google, [2]iVerify, and [3]Lookout have jointly revealed the discovery of a sophisticated iPhone hacking toolkit called DarkSword, which multiple threat actors are using to compromise devices running iOS 18. Unlike highly targeted spyware attacks of the past, DarkSword has been deployed via compromised legitimate websites, raising the risk that everyday iPhone users could fall victim. The proliferation of DarkSword suggests a market where exploit brokers sell such tools to multiple buyers. Even worse, the Russian hackers left the complete, unobfuscated DarkSword code'including helpful comments explaining each component'available on the compromised sites, where it could have been copied and reused. What Is DarkSword? DarkSword is a full exploit chain'a sequence of vulnerabilities chained together to bypass iOS's multiple security layers'built entirely in JavaScript that can silently compromise an iPhone when a user simply visits an infected website using Safari. No additional clicks, downloads, or interaction beyond visiting the page are required. The attack works against iOS versions 18.4 through 18.6.2, with some variants also targeting iOS 18.7. Once a device is compromised, researchers say DarkSword can rapidly harvest alarming amounts of data, including: * Passwords stored in the keychain * iMessage, WhatsApp, and Telegram message histories * Photos and screenshots * Call logs and contacts * Safari browsing history and cookies * Calendar and Notes data * Location history * Health app data * Cryptocurrency wallet credentials Rather than installing persistent spyware, DarkSword takes a smash-and-grab approach: it collects and exfiltrates data quickly, then disengages. Researchers say the DarkSword chain lacks a persistence mechanism, but by that point, the data may already have been stolen. Who's at Risk from DarkSword? Not you, if you've installed iOS updates as they've been made available. Apple addressed the vulnerabilities that DarkSword exploits starting in the iOS 18.7.2 and 18.7.3 security updates late last year. What about iOS 26? Researchers say they have no evidence that DarkSword has been used against iOS 26 devices, but they note that some of the underlying vulnerabilities were not fully patched until iOS 26.3. None of the security reports even mentions the iPad, but the vulnerabilities are almost certainly the same. To see what version of iOS you're running, navigate to Settings > General > About and look next to iOS Version. If it's between'or includes'iOS 18.4 and iOS 18.7.2, your device is vulnerable to DarkSword. If you're running iOS 18.7.3 or later, you're fine. According to Apple's [4]App Store adoption rate numbers, 24% of all iPhones are still running iOS 18 today, though they don't break out iOS 18 sub-versions. Although that could amount to hundreds of millions of iPhones, it seems likely that many fewer people stopped updating during the vulnerable window. Regardless of the overall population, all that really matters is the version you and the people you support are using. Check now, I'll wait. Two Ways to Deflect DarkSword Attacks Despite the sophistication of the DarkSword exploit chain, protecting vulnerable devices from it is simple. You have two choices: * Update: Every iPhone running a vulnerable version of iOS 18 has an update path, either to iOS 18.7.6 (the iPhone XR, XS, and XS Max) or to iOS 26.3.1 (everything else). The problem is that many people have stuck with iOS 18 to avoid iOS 26's Liquid Glass. If your iPhone supports iOS 26, there is no longer any way to update to a version of iOS 18 later than iOS 18.7.3, and even that version may be available only to people who registered for the iOS 18 Public Beta or Developer Beta. * Enable Lockdown Mode: If you absolutely must stay on a vulnerable version of iOS 18, Apple says that Lockdown Mode will also block these attacks. It's easily enabled from Settings > Privacy & Security > Lockdown Mode > Turn On Lockdown Mode. Unfortunately, Lockdown Mode will [5]degrade your iPhone experience in various ways: it blocks most message attachment types, disables certain Web technologies, and limits incoming FaceTime calls, among other restrictions. As much as I appreciate the trepidation many people have about Liquid Glass on the iPhone, much of the negative press'including mine'is aimed at pushing Apple to address relatively subtle problems. I've been using Liquid Glass on my iPhone since the iOS 26 betas, and while I prefer the iOS 18 interface, Liquid Glass hasn't prevented me from doing anything or slowed me down much, especially after changing a few key settings (see '[6]How to Turn Liquid Glass into a Solid Interface,' 9 October 2025). Sure, I'd prefer a traditional Done button to Liquid Glass's inscrutable blue checkmark, but iOS 26 also offers legitimate improvements that make life easier, such as how the Phone app's new Unified view prevents accidental calls (see '[7]Comparing the Classic and Unified Views in iOS 26's Phone App,' 10 November 2025). If you're concerned about DarkSword, upgrading to iOS 26 is a better option than living in Lockdown Mode in iOS 18. The Increasing Importance of Installing Updates The appearance of two sophisticated iOS exploit chains'DarkSword and Coruna (see '[8]Older iPhones and iPads Receive Critical Security Updates for Coruna Exploits,' 13 March 2026)'within weeks of each other signals a troubling shift. We have long thought of exploits like these as rare tools used only for highly targeted attacks against specific individuals, but they're now being deployed more broadly against anyone who visits a compromised website. As Lookout's [9]Justin Albrecht told Wired: 'People assumed that it was just going to be journalists or activists or maybe an opposition politician that was targeted, and that this wasn't a concern for a normal citizen. Now that we see iOS exploits being delivered through an unscrupulous broker, there's a whole market here for this to get to cybercriminals.' Of course, the proliferation of these tools doesn't mean everyone will suddenly suffer data theft. DarkSword has to be installed on a website you visit, which means attackers have to compromise a site no one would expect to host malware. That's not going to happen regularly or broadly, and Google has added known DarkSword delivery domains to Safe Browsing, so Safari may warn users before they visit compromised sites. But the mere fact that such compromises do happen'remember the 2016 [10]malvertising campaign that impacted high-profile sites like The New York Times?'means you need to take responsibility for your own protection. So please'install those security updates when we write about them. References 1. https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain 2. https://iverify.io/blog/darksword-ios-exploit-kit-explained 3. https://www.lookout.com/threat-intelligence/article/darksword 4. https://developer.apple.com/support/app-store/ 5. https://support.apple.com/en-us/105120 6. https://tidbits.com/2025/10/09/how-to-turn-liquid-glass-into-a-solid-interface/ 7. https://tidbits.com/2025/11/10/comparing-the-classic-and-unified-views-in-ios-26s-phone-app/ 8. https://tidbits.com/2026/03/13/older-iphones-and-ipads-receive-critical-security-updates-for-coruna-exploits/ 9. https://www.wired.com/story/hundreds-of-millions-of-iphones-can-be-hacked-with-a-new-tool-found-in-the-wild/ 10. https://www.malwarebytes.com/blog/news/2016/03/large-angler-malvertising-campaign-hits-top-publishers .