iPhone users on alert: Darksword spyware can steal your data in minutes

Google Threat Intelligence Group (GTIG) has recently identified malware that is targeting iPhone users worldwide. Google calls this exploit chain DarkSword, based on collecting data from toolmarks in recover payloads. Google has observed multiple commercial surveillance attacks since November 2025 and based on this, the tech giant is warning iOS users that this attack can steal data just by visiting a harmful website. The DarkSword works silently and quickly, making it a serious concern.Also Read: Android Phones Hit By New DroidLock Malware That Locks Users Out And Demands Ransom

Google Spotted a Malware Named DarkSword

As per GTIG, the attack method used under DarkSword is simple but dangerous. It requires a user to simply open an infected website on their iPhone and once the page is loaded, the spyware starts collecting data from the device. What increase our worrisome is that it doesn’t ask for permission or show any warning. This makes it hard for users to know what their phone is under attack.Also Read: Hackers Push Fake ChatGPT Atlas Browser Via Search Ads To Steal Passwords: Report

Ukraine-Linked Attacks and Hacker Group

This malware is linked to Ukraine as researchers at Google and security companies iVerify and Lookout found that these tools were actively used in Ukraines. The attack is linked to a group known as UNC6353, which used the spyware to break into devices. It collects personal data and then remove all traces of the attack. The main goal of this attack is not to come up with long-term tracking, rather than having a quick data theft.Also Read: 7 Signs Your Laptop Might Be Infected With Malware

Who are Affected

As per reports from Google Threat Intelligence Group, this spyware uses multiple system flaws found in older iOS versions, and hence, devices running iOS 18.4 to 18.7 are mainly affected.

List of Data Included in the Stolen System

Google says that DarkSword can access sensitive data, including passwords, photos, and browser history. The malware can also collect messages from apps like WhastApp and Telegram. In addition, it can also steal cryptocurrency wallet details, too in some cases. It means the attack can be used for both spying and financial gain.

Which Exploit Tool is Behind This Attack

According to Google’s official blog post, the spyware is similar to a known exploit kit called ‘Corona Exploit Kit.’ This toolkit is equipped with several exploit chains and vulnerabilities. Furthermore, some reports also indicate that these tools may have come from the leaked government framework.

This is one of the most advanced version and uses hidden techniques that are not publicly known. They are constructed to bypass built-in security protections on iPhones.

DarkSword Using a Fileless Method

DarkSword is using one of the most sophisticated ways to attack your device, called Fileless Method. Under this method, hackers steal data without installing any software or files on your device. Rather than downloading malware into your system, this method uses your existing tools and processes, which is already present in your phone or computer. After this process, the malware deletes its traces and exits. If you restart your phone, then it will makes it almost impossible to detect the attack.

Check If You are at Risk and What to Do

The DarkSword attack mainly targets devices running older versions of iOS 18, so make sure you update your iPhone to the latest software. If you are unable to update your device, then at least enable Lockdown Mode. It can improve security. It is advisable to avoid opening unknown websites and stay cautious while browsing.