DarkSword iPhone Spyware Leaked on GitHub, Threatening Mass Exploitation of Hundreds of Millions of iOS 18 Devices

A leaked version of DarkSword, sophisticated iOS spyware previously reserved for nation-state actors, has appeared on GitHub, threatening to turn elite iPhone hacking into a tool accessible to cybercriminals worldwide.

The Threat

• Malware: DarkSword (iOS spyware)
• Platform: iOS 18 devices — potentially hundreds of millions at risk
• Previously: Used only by nation-state actors
• Now: Publicly available on GitHub
• Related: Coruna exploit kit also recently discovered

How It Works

• Zero-click exploitation: No user interaction required
• Targets: iOS 18 devices across the globe
• Known targeting: Ukraine, Saudi Arabia, Turkey, Malaysia (pre-leak)
• Post-leak: "Being used all around the world, including here in the United States"

Expert Reactions

Allan Liska (Recorded Future CISO): "Right now, iPhone exploitations are among the most expensive to research and implement. If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface."

Rocky Cole (iVerify co-founder): "It's extremely alarming that this leaked out on GitHub. I would assume that it's being used all around the world."

Eva Galperin (EFF cybersecurity director): "People who have devices that are vulnerable should upgrade ASAP. It is very likely that these vulnerabilities are being used right now to exploit vulnerable devices at scale."

The Propagation Problem

Apple took the rare step of backporting security updates to older iOS versions due to the related Coruna exploit kit. The fear: these exploits could be wormable — capable of spreading via text message to everyone in a phone's contact list.

Research Sources

Google, iVerify, and Lookout all published research on DarkSword. TechCrunch first reported the GitHub leak.