Advanced spyware code surfaces online
Cybersecurity researchers are warning of heightened risks to iPhone and iPad users after a newer version of the hacking tool DarkSword was leaked and uploaded to GitHub. The tool, previously linked to targeted attacks, can now be accessed and reused by virtually anyone with basic technical knowledge.
Security experts say the leaked files are simple HTML and JavaScript, making them easy to deploy. According to Matthias Frielingsdorf, co-founder of mobile security firm iVerify, the exploits “will work out of the box” and require no specialized iOS expertise. He cautioned that the situation is unlikely to be contained and that criminal groups could begin deploying the spyware quickly.
Older Apple devices most exposed
The leaked version of DarkSword is designed to exploit devices running iOS 18 and other outdated versions of Apple’s operating systems. Apple data indicates that roughly one-quarter of active devices have not yet updated to newer software. With more than 2.5 billion active Apple devices globally, that could leave hundreds of millions vulnerable.
A security researcher using the alias matteyeux reported successfully compromising an iPad mini running iOS 18 using a circulating DarkSword sample. Google researchers, who previously analyzed the exploit, agreed that the tool appears easy to repurpose.
What the spyware can do
Comments embedded in the leaked code describe how the exploit extracts sensitive data from devices and transmits it to attacker-controlled servers. The malware reportedly targets contacts, messages, call history and the iOS keychain, which stores passwords and Wi-Fi credentials.
Additional references in the code point to post-exploitation activity and the uploading of stolen data. Some files mention a Ukrainian apparel website, though the reason for that reference remains unclear. DarkSword has been associated with operations allegedly conducted by Russian state-linked hackers targeting Ukrainian individuals.
Apple issues security guidance
Apple confirmed it is aware of the exploit affecting devices running outdated software. Spokesperson Sarah O’Rourke said the company issued an emergency security update on March 11 for devices unable to install the latest iOS version. She emphasized that devices running updated software are not vulnerable to the reported attacks and noted that Lockdown Mode provides additional protection.
Microsoft, which owns GitHub, did not immediately comment on the presence of the code on its platform.
Broader spyware concerns
The emergence of the DarkSword leak follows the recent discovery of another sophisticated toolkit known as Coruna, reportedly developed by defense contractor L3Harris for government clients. Together, the incidents underscore growing concerns about the proliferation of advanced surveillance tools.
Security experts strongly advise users to update their devices immediately. Keeping operating systems current remains the most effective defense against known exploits, particularly when attack code is publicly accessible.
