Google and cybersecurity companies Lookout and iVerify have detailed a new hacking technique that potentially puts a significant portion of iPhone users in danger, just by visiting the wrong web page. The hack is called “DarkSword” and it currently targets iOS 18 releases between iOS 18.4 and iOS 18.6.2.
For its part, an Apple spokesperson told Engadget that the company had patched the underlying vulnerabilities in iOS versions 15 through 26 last year; the company also issued an emergency update for devices running iOS 15 and 16 that are unable to run newer versions of iOS. The company does note that users running iOS 13 or iOS 14 would need to update to at least iOS 15 to be protected; those operating systems were released in 2019 and 2020, respectively.
In response to this threat, Apple has also published details on what users can do to make sure they’re fully protected, which are essentially the same as what the company shared with Engadget. Even if you’re not running iOS 26, updates are and have been available to protect users from this particular threat. Apple also notes that the URLs detected and published in Google’s security blog are blocked by its Safe Browsing features in Safari.
DarkSword is a “fileless” hack that leverages a collection of exploits to access sensitive data when an iPhone visits an infected website. Rather than install spyware that hangs around on a user’s phone after messages and other private information are stolen, fileless hacks like DarkSword take control of “the legitimate processes in an iPhone’s operating system to steal data,” according to Wired. Even more troubling, DarkSword deletes any evidence it was running on an iPhone after it finishes stealing your information.
The hack starts as soon as an iOS device encounters an “malicious iframe embedded in a web page,” after which it works its way through your iPhone, gathering sensitive information like passwords before deleting itself. DarkSword can abscond with things like messages and iCloud content, but it’s also specifically designed to access crypto currency wallets, Lookout says, which could indicate who was using DarkSword before it became widely available.
DarkSword has reportedly been used in Ukraine, Saudi Arabia, Malaysia, Turkey and Russia, and its origins could be tied to a different hacking toolkit called Coruna that TechCrunch reports may have been created for the US government by a company called Trenchant. Regardless of where DarkSword came from, the tool didn’t become widely available until its Russian users left DarkSword’s source code on a website for anyone to access, “complete with explanatory comments in English that describe each component and include the ‘DarkSword’ name for the tool,” Wired writes.
Apple patched the exploits that DarkSword and Coruna used in recent updates to iOS 26, the yearly software release from 2025 that followed iOS 18. DarkSword currently targets iOS 18 releases between iOS 18.4 and iOS 18.6.2, and according to Apple’s latest iOS usage stats for developers, around 24 percent of iOS devices are still on some version of iOS 18.
However, Apple simultaneously released iOS 26 and iOS 18.7 on September 15, 2025. So even if people didn’t want to upgrade to iOS 26, Apple has released patches to mitigate the vulnerability. Apple’s stats indicate that about 24 percent of iPhone users are still on iOS 18, the actual number of potentially vulnerable phones is lower. Still, it’s a good reminder to stay on top of software updates if only for the security features if nothing else.
Update, March 19, 2026, 11:19AM ET: This story has been updated with details from Apple about what versions of iOS had been proactively patched to mitigate this vulnerability.
Update, March 19, 2026, 10:10AM ET: This story has been updated to note that while this vulnerability targets iOS 18, Apple released iOS 18 updates over the last six months that are secure against this attack.
