Last week, cybersecurity researchers discovered a hacking campaign targeting iPhone users using an advanced hacking tool called DarkSword. Now, someone has leaked a new version of DarkSword and published it on code-sharing site GitHub.
Researchers warn that this could allow hackers to easily use the tool to target iPhone users running older versions of the Apple operating system who have not yet updated to the latest iOS 26 software. According to Apple’s own data on older devices, this could affect hundreds of millions of iPhones and iPads in active use.
“This is bad. It’s too easy to reuse,” Matthias Frielingsdorf, co-founder of mobile security startup iVerify, told TechCrunch on Monday. “I don’t think this can be contained anymore. So we have to expect criminals and others to start deploying this.”
Freelingsdorf said these new versions of DarkSword spyware share the same infrastructure as the one he and his colleagues at iVerify have previously analyzed, although the files are slightly different. He said the files uploaded to GitHub are simple, just HTML and JavaScript, so anyone can copy and paste them and host them on a server “in minutes to hours.”
“This exploit works out of the box,” Freelingsdorf said. “No iOS expertise required.”
Kimberly Samra, a Google spokeswoman who previously analyzed the DarkSword exploit, said Google researchers agree with Freelingsdorf’s assessment.
inquiry
Want more information about Darksword, Coruna, or other government hacking and spyware tools? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or by email.
A security enthusiast who goes by the handle mateyeux also told TechCrunch that it is indeed easy to use the leaked DarkSword samples. Matteyeux wrote in an X Monday post that he was able to hack an iPad mini tablet running iOS 18, a previous generation operating system that is vulnerable to DarkSword, using “unreleased” DarkSword samples circulating online.
tech crunch event
San Francisco, California
|
October 13-15, 2026
Apple spokesperson Sarah O’Rourke told TechCrunch that the company is aware of an exploit targeting devices running older operating systems and issued an emergency update on March 11 for devices that can’t run the latest version of iOS.
“Keeping your software up to date is the most important thing you can do to keep your Apple products secure,” O’Rourke said, adding that devices with updated software are not at risk from these reported attacks and that lockdown mode also blocks these specific attacks.
A spokesperson for Microsoft, which owns GitHub, did not respond to a request for comment.
The code, which TechCrunch is not linking to because it could be used in an active attack, contains some comments explaining how the exploit works and how to implement it.
One comment, apparently written by one of the developers who worked on DarkSword, says the exploit “reads and extracts forensic-related files from an iOS device over HTTP,” referring to stealing information from an individual’s iPhone or iPad and sending that data over the Internet to an attacker-controlled server.
The comment says, “This payload must be injected into a process that has a filesystem access class.”
In one case, the code refers to “post-exploitation activity,” describing the process after the malware accesses a person’s phone, retrieves content such as contacts, messages, call history, iOS keychain that stores Wi-Fi passwords and other secrets, and dumps it to a remote server.
Another file contains a reference to upload data to a popular Ukrainian clothing website, but TechCrunch could not immediately determine why. DarkSword was allegedly used by Russian government hackers to target Ukraine.
According to iVerify, Google, and Lookout, which previously analyzed the DarkSword malware, this particular spyware works specifically against iPhones and iPads running iOS 18.
According to Apple’s own numbers, about a quarter of iPhone and iPad users still run iOS 18 or earlier on their devices. With over 2.5 billion active devices, this translates to potentially hundreds of millions of people’s devices being vulnerable to DarkSword attacks.
That’s why Freelingsdorf recommends everyone upgrade their iPhone’s operating system.
The discovery of DarkSword comes just weeks after researchers discovered another advanced iPhone hacking toolkit known as Coruna. As TechCrunch reported, Coruna was originally developed by defense contractor L3Harris. L3Harris’ Trenchant division produces hacking tools for the U.S. government and its allies.
Source link
