More than 220 million iPhones under attack from new DarkSword exploit — how to stay safe

Researchers have discovered a new iOS exploit, dubbed "DarkSword", that was used to steal saved passwords, data from cryptocurrency apps and more. Fortunately, you may be able to avoid it.

DarkSword targets iPhones that are running older versions of iOS, specifically iOS 18.4 through iOS 18.7. Apparently, it's been leaked to multiple malicious actors.

The exploit was discovered by researchers at Lookout, a mobile security company, who were investigating a previous "Coruna" attack. Their findings were verified by a collaboration between Google's Threat Intelligence Group and iVerify, which created a more comprehensive analysis of this threat.

In total, DarkSword uses six vulnerabilities tracked as: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. It's been actively used since November 2025 by multiple bad actors who deployed it as as three separate malware "GHOST" families.

Ghostblade is a dataminer that stole a gamut of information from crypto data to browser history, photos and emails. Ghostknife was used to get into signed-in accounts, messages and location history. While Ghostsaber was used to execute code and steal data.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says. “This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”

The attacks had a global impact hitting iPhone owners in Saudia Arabia, Ukraine and Malaysia according to the reports. The exploit was delivered through a Sandbox exploit using compromised websites, though it's not clear how the sites themselves were compromised.

Based on this Stat Counter chart and statistics from Apptunix, it's estimated that around 220 million devices are impacted, or around 14% of all iOS users.

According to iVerify, all the flaws used in DarkSword have apparently been addressed by Apple in more recent iOS releases.

How to stay safe

Very simply, update your iPhone.

If your device is capable of running iOS 26.3.1 (the most recent iOS update), you should upgrade to that version. If not, see if you can at least updated to iOS 18.7.6, which appears to be safe according to iVerify.

iVerify's research suggests that only iOS 18.7 and iOS 26.3 versions are safe, which means even earlier versions of iOS 26 might be exploitable.

For older iPhones that can run iOS 18 but not iOS 26, Apple could release fixes as it's done in the past, but it hasn't been confirmed if Apple will do so in this case.

In the meantime, turn on Lockdown Mode, which has existed since iOS 16 and is designed to give you more protection from advanced cyberattacks.

Unfortunately, there isn't an iOS equivalent of the best Android antivirus apps, but one of the best Mac antivirus software suites can scan an iPhone or iPad for spyware and other malware. Connecting your iPhone to a Mac allows Intego’s Mac antivirus to scan it for viruses.

We don't see iPhone exploits all that often but when we do, they're usually quite complicated and leverage multiple vulnerabilities like we saw here with DarkSword. Given how much valuable data is stored on the best iPhones, it won't be long until we see a similar exploit making the rounds online.

Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.

More from Tom's Guide

• Apple Wallet is showing ads now — here's how to disable them
• I ditched the MacBook Air for a MacBook Neo for 48 hours — and I'm shocked
• We just tested the MacBook Neo vs MacBook Air M5 — which laptop should you buy?